Config

VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.1Release 4.1January 2004

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

Customer Order Number: DOC-7815731=Text Part Number: 78-15731-01

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

VPN 3000 Series Concentrator Reference Volume I: ConfigurationCopyright © 2004 Cisco Systems, Inc. All rights reserved.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)

VPN 3000 78-15731-01

Preface xxvii

Audience xxvii

Prerequisites xxvii

Organization xxviii

Related Documentation xxx

VPN 3000 Series Concentrator Documentation xxx

VPN Client Documentation xxx

VPN 3002 Hardware Client Documentation xxx

Documentation on VPN Software Distribution CDs xxxi

Other References xxxi

Conventions xxxii

Data Formats xxxiii

Obtaining Documentation xxxiv

Cisco.com xxxiv

Ordering Documentation xxxiv

Documentation Feedback xxxiv

Obtaining Technical Assistance xxxv

Cisco.com xxxv

Technical Assistance Center xxxvi

Obtaining Additional Publications and Information xxxvii

C H A P T E R 1 Using the VPN Concentrator Manager 1-1

Browser Requirements 1-2

Connecting to the VPN Concentrator Using HTTP 1-4

Installing the SSL Certificate in Your Browser 1-5

Installing the SSL Certificate with Internet Explorer 1-6

Installing the SSL Certificate with Netscape 1-13

Connecting to the VPN Concentrator Using HTTPS 1-20

Logging into the VPN Concentrator Manager 1-21

Configuring HTTP, HTTPS, and SSL Parameters 1-22

Organization of the VPN Concentrator Manager 1-22

Navigating the VPN Concentrator Manager 1-22

iiiSeries Concentrator Reference Volume I: Configuration

Contents

C H A P T E R 2 Configuration 2-1

Configuration 2-1

C H A P T E R 3 Interfaces 3-1

Configuration | Interfaces 3-2

Refresh 3-3

Interface 3-3

Status 3-4

IP Address 3-4

Subnet Mask 3-5

MAC Address 3-5

Default Gateway 3-5

Power Supplies 3-5

Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External) Module in Back-Panel Image 3-5

Configuration | Interfaces | Power 3-6

Alarm Thresholds 3-7

CPU 3-7

Power Supply A, B 3-8

Board 3-8

Apply / Cancel 3-8

Configuration | Interfaces | Ethernet 1 2 3 3-9

Using the Tabs 3-9

General Parameters Tab 3-10

RIP Parameters Tab 3-15

OSPF Parameters Tab 3-17

Apply / Cancel 3-19

Bandwidth Parameters Tab 3-20

WebVPN Parameters Tab 3-22

Allow Management HTTPS sessions 3-23

Allow WebVPN HTTPS session 3-24

Redirect to HTTP to HTTPS 3-24

Allow POP3S sessions 3-24

Allow IMAP4S sessions 3-24

Allow SMTPS sessions 3-24

C H A P T E R 4 System Configuration 4-1

Configuration | System 4-1

ivVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

C H A P T E R 5 Servers 5-1

Configuration | System | Servers 5-1

Configuration | System | Servers | Authentication 5-3

Authentication Servers 5-4

Add / Modify / Delete / Move / Test 5-4

Configuration | System | Servers | Authentication | Add or Modify 5-7

Server Type = RADIUS 5-7

Server Type = NT Domain 5-9

Server Type = SDI 5-11

Server Type = Kerberos/Active Directory 5-13

Server Type = Internal Server 5-15

Configuration | System | Servers | Authentication | Delete 5-16

Yes / No 5-16

Configuration | System | Servers | Authentication | Test 5-17

Username 5-17

Password 5-17

OK / Cancel 5-17

Authentication Server Test: Success 5-18

Authentication Server Test: Authentication Rejected Error 5-18

Authentication Server Test: Authentication Error 5-19

Configuration | System | Servers | Authorization 5-20

Configuring Authorization Servers for IPSec, PPTP and L2TPClients 5-21

Configuring Authorization Servers for VPN 3002 Hardware Clients 5-21

Configuring Authorization Servers for WebVPN 5-21

Authorization Servers 5-23

Add / Modify / Delete / Move / Test 5-23

Configuration | System | Servers | Authorization| Add or Modify 5-24

Server Type = RADIUS 5-24

Server Type = LDAP 5-26

Configuration | System | Servers | Authorization | Test 5-30

Username 5-30

OK / Cancel 5-30

Authorization Server Test: Success 5-31

Authorization Server Test: Authorization Error 5-31

Configuration | System | Servers | Accounting 5-32

Accounting Servers 5-33

Add / Modify / Delete / Move 5-33

Configuration | System | Servers | Accounting | Add or Modify 5-34

vVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Accounting Server 5-34

Server Port 5-34

Timeout 5-34

Retries 5-34

Server Secret 5-35

Verify 5-35

Add or Apply / Cancel 5-35

Configuration | System | Servers | DNS 5-36

Enabled 5-36

Domain 5-36

Primary DNS Server 5-36

Secondary DNS Server 5-37

Tertiary DNS Server 5-37

Timeout Period 5-37

Timeout Retries 5-37

Apply / Cancel 5-37

Configuration | System | Servers | DHCP 5-38

DHCP Servers 5-38

Add / Modify / Delete / Move 5-39

Configuration | System | Servers | DHCP | Add or Modify 5-40

DHCP Server 5-40

Server Port 5-40


Configuration | System | Servers | Firewall 5-41

Zone Labs Integrity Servers 5-41

Failure Policy 5-41

Server Port 5-42

SSL Client Authentication 5-42

Apply/Cancel 5-42

Configuration | System | Servers | NBNS 5-43

Enabled 5-43

Server Type 5-43

Primary NBNS Server 5-43

Secondary NBNS Server 5-44

Tertiary NBNS Server 5-44

Timeout Period 5-44

Timeout Retries 5-44

Apply / Cancel 5-44

Configuration | System | Servers | NTP 5-45

viVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Configuration | System | Servers | NTP | Parameters 5-46

Sync Frequency 5-46

Apply / Cancel 5-46

Configuration | System | Servers | NTP | Hosts 5-47

NTP Hosts 5-47

Add / Modify / Delete 5-47

Configuration | System | Servers | NTP | Hosts | Add or Modify 5-48

NTP Host 5-48


C H A P T E R 6 Address Management 6-1

Configuration | System | Address Management 6-2

Configuration | System | Address Management | Assignment 6-3

Use Client Address 6-3

Use Address from Authentication Server 6-3

Use DHCP 6-4

Use Address Pools 6-4

Apply / Cancel 6-4

Configuration | System | Address Management | Pools 6-5

IP Pool Entry 6-5


Configuration | System | Address Management | Pools | Add or Modify 6-6

Range Start 6-6

Range End 6-6


C H A P T E R 7 IP Routing 7-1

Configuration | System | IP Routing 7-2

Configuration | System | IP Routing | Static Routes 7-3

Static Routes 7-3


Configuration | System | IP Routing | Static Routes | Add or Modify 7-5

Network Address 7-5

Subnet Mask 7-5

Metric 7-5

Destination 7-6


Configuration | System | IP Routing | Default Gateways 7-7

viiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Default Gateway 7-7

Metric 7-7

Tunnel Default Gateway 7-8

Override Default Gateway 7-9

Apply / Cancel 7-9

Configuration | System | IP Routing | OSPF 7-10

Enabled 7-10

Router ID 7-11

Autonomous System 7-11

Apply / Cancel 7-11

Configuration | System | IP Routing | OSPF Areas 7-12

OSPF Area 7-12


Configuration | System | IP Routing | OSPF Areas | Add or Modify 7-13

Area ID 7-13

Area Summary 7-13

External LSA Import 7-14


Configuration | System | IP Routing | DHCP Parameters 7-15

Enabled 7-15

Lease Timeout 7-15

Listen Port 7-16

Timeout Period 7-16

Apply / Cancel 7-16

Configuration | System | IP Routing | DHCP Relay 7-17

Enabled 7-17

DHCP Info Transmission 7-18

Apply / Cancel 7-18

Configuration | System | IP Routing | Redundancy 7-19

Enable VRRP 7-20

Group ID 7-20

Group Password 7-20

Role 7-20

Advertisement Interval 7-21

Group Shared Addresses 7-21

1 (Private) 7-21

2 (Public) 7-21

3 (External) 7-21

Apply / Cancel 7-21

viiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Configuration | System | IP Routing | Reverse Route Injection 7-22

Client Reverse Route Injection 7-23

Network Extension Reverse Route Injection 7-23

Address Pool Hold Down Routes 7-23

Generate Hold Down Routes 7-24

Apply / Cancel 7-24

C H A P T E R 8 Management Protocols 8-1

Configuration | System | Management Protocols 8-1

Configuration | System | Management Protocols | FTP 8-2

Enable 8-2

Port 8-2

Maximum Connections 8-3

Apply / Cancel 8-3

Configuration | System | Management Protocols | HTTP 8-4

Enable HTTP 8-5

HTTP Port 8-5

Maximum Sessions 8-5

Apply / Cancel 8-5

Configuration | System | Management Protocols | TFTP 8-6

Enable 8-6

Port 8-6


Timeout 8-7

Apply / Cancel 8-7

Configuration | System | Management Protocols | Telnet 8-8

Enable Telnet 8-8

Telnet Port 8-9


Apply / Cancel 8-9

Configuration | System | Management Protocols | SNMP 8-10

Enable 8-10

Port 8-10

Maximum Queued Requests 8-11

Apply / Cancel 8-11

Configuration | System | Management Protocols | SNMP Communities 8-12

Community Strings 8-12


Configuration | System | Management Protocols | SNMP Communities | Add or Modify 8-13

ixVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Community String 8-13


Configuration | System | Management Protocols | XML 8-14

Enable 8-14

Enable HTTPS on Public 8-15

HTTPS IP Address 8-15

HTTPS Wildcard-mask 8-15

Enable SSH on Public 8-15

SSH IP Address 8-15

SSH Wildcard-mask 8-15

C H A P T E R 9 Events 17

Event Class 17

Event Severity Level 20

Event Log 21

Event Log Data 21

Configuration | System | Event 22

Configuration | System | Events | General 23

Save Log on Wrap 23

Save Log Format 24

FTP Saved Log on Wrap 24

E-mail Source Address 24

Syslog Format 25

Events to Log 26

Events to Console 26

Events to Syslog 27

Events to E-mail 27

Events to Trap 27

Event List 28

Apply / Cancel 29

Configuration | System | Events | FTP Backup 30

FTP Server 30

FTP Directory 30

FTP Username 31

FTP Password 31

Verify 31

Apply / Cancel 31

Configuration | System | Events | Classes 32

Configured Event Classes 32

xVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Add / Modify / Delete 33

Configuration | System | Events | Classes | Add or Modify 34

Class Name 34

Enable 34

Events to Log 35

Events to Console 35

Events to Syslog 35

Events to E-mail 36

Events to Trap 36

Add or Apply / Cancel 36

Configuration | System | Events | Trap Destinations 37

Trap Destinations 37


Configuration | System | Events | Trap Destinations | Add or Modify 39

Destination 39

SNMP Version 39

Community 39

Port 39


Configuration | System | Events | Syslog Servers 41

Syslog Servers 41


Configuration | System | Events | Syslog Servers | Add or Modify 42

Syslog Server 42

Port 42

Facility 43


Configuration | System | Events | SMTP Servers 44

SMTP Servers 44

Add / Modify / Delete / Move 45

Configuration | System | Events | SMTP Servers | Add or Modify 46

SMTP Server 46


Configuration | System | Events | E-mail Recipients 47

E-mail Recipients 47


Configuration | System | Events | E-mail Recipients | Add or Modify 49

E-mail Address 49

Max Severity 49

xiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents


C H A P T E R 10 General 10-1

Configuration | System | General 10-1

Configuration | System | General | Identification 10-2

System Name 10-2

Contact 10-2

Location 10-2

Apply / Cancel 10-2

Configuration | System | General | Time and Date 10-3

Current Time 10-3

New Time 10-3

Enable DST Support 10-4

Apply / Cancel 10-4

Configuration | System | General | Sessions 10-5

Maximum Active Sessions: WebVPN or IPSec, PPTP and L2TP/IPSec 10-5

Maximum Active Sessions 10-6

Maximum Active WebVPN Sessions 10-7

Ratios of WebVPN to IPSec, PPTP and L2TP/IPSec Sessions 10-7

Apply/Cancel 10-8

Configuration | System | General | Global Authentication Parameters 10-9

Enable Group Lookup 10-9

Group Delimiter 10-9

Strip Group 10-10

Groups and Realms 10-10

Strip Realm and Group Lookup 10-11

Usernames with Groups and Realms Summary 10-11

Associating Users with Different Groups for Authentication 10-12

C H A P T E R 11 Client Update 11-1

VPN Software Clients 11-1

VPN 3002 Hardware Clients 11-1

Configuration | System | Client Update 11-2

Configuration | System | Client Update | Enable 11-3

Enable 11-3

Apply or Cancel 11-3

Configuration | System | Client Update | Entries 11-4

Update Entry 11-4

xiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Actions 11-4

Configuration | System | Client Update | Entries | Add or Modify 11-5

Client Type 11-5

URL 11-6

Revisions 11-6


C H A P T E R 12 Load Balancing Cisco VPN Clients 12-1

Preliminary Steps 12-2

Configure Interfaces 12-2

Configure Filters 12-3

Configuration | System | Load Balancing 12-4

Cluster Configuration 12-5

Device Configuration 12-6

Apply/Cancel 12-7

C H A P T E R 13 User Management 9

Configuration | User Management 11

Configuration | User Management | Base Group 12

Using the Tabs 12

General Parameters Tab 13

IPSec Parameters Tab 18

Client Configuration Parameters Tab 29

Client FW Parameters Tab 37

Firewall Policy 41

HW Client Parameters Tab 42

About Interactive Hardware Client Authentication 44

About Individual User Authentication 45

About LEAP Bypass 46

Summary of VPN 3002 Authentication Features 48

PPTP/L2TP Parameters Tab 49

Apply / Cancel 54

WebVPN Parameters Tab 54

WebVPN Parameters 54

Content Filter Parameters 57

WebVPN ACLs 58


Configuration | User Management | Groups 61

xiiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Actions 62

Current Groups 62

Modify 62

Configuration | User Management | Groups | Add or Modify (Internal) 64

Using the Tabs 64

Identity Parameters Tab 65


Value / Inherit? 68


Value / Inherit? 76

Client Configuration Parameters Tab 83

Client FW Parameters Tab 90

Firewall Policy 94

HW Client Parameters Tab 95

About LEAP Bypass 98

Summary of VPN 3002 Authentication Features 100


Value / Inherit? 101


WebVPN Parameters Tab 107

WebVPN Parameters 109

Content Filter Parameters 110

WebVPN ACLs 111


Configuration | User Management | Groups | Modify (External) 114

Apply / Cancel 115

Configuration | User Management | Groups | Authentication Servers 116

Servers 118

Actions 118

Configuration | User Management | Groups | Authentication Servers | Add or Modify 119

Server Type = RADIUS 119

Server Type = NT Domain 121

Server Type = SDI 122

Server Type = Kerberos/Active Directory 124

Configuration | User Management | Groups | Authentication Servers | Test 127

Username 127

Password 127

OK / Cancel 127

xivVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Authentication Server Test: Success 128

Authentication Server Test: Authentication Rejected Error 128

Authentication Server Test: Authentication Error 129

Configuration | User Management | Groups | Authorization Servers 130

Authorization Servers 131

Add / Modify / Delete / Move Up / Move Down / Test / Done 131

Configuration | User Management | Groups | Authorization Servers: | Add or Modify 132

Server Type = RADIUS 132

Server Type = LDAP 134

Configuration | User Management | Groups | Authorization Servers | Test 138

Username 138

Password 138

OK / Cancel 138

Authentication Server Test: Success 139

Authorization Server Test: Authorization Rejected Error 139

Authorization Server Test: Authorization Error 140

Configuration | User Management | Groups | Accounting Servers 141

Servers 141

Actions 142

Configuration | User Management | Groups | Accounting Servers | Add or Modify 143

Accounting Server 143

Server Port 143

Timeout 144

Retries 144

Server Secret 144

Verify 144


Configuration | User Management | Groups | Address Pools 145

IP Pool Entry 145

Actions 145

Configuration | User Management | Groups | Address Pools | Add or Modify 146

Range Start 146

Range End 146


Configuration | User Management | Groups | Client Update 147

Update entry 147

Actions 147

Configuration | User Management | Groups | Client Update | Add or Modify 148

Client Type 148

xvVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

URL 149

Revisions 149


Configuration | User Management | Groups | Bandwidth Policy 150

Configuration | User Management | Groups | Bandwidth Policy | Interfaces 151

Apply / Cancel 152

Configuration | User Management | Groups | WebVPN Servers and URLs 152

Servers and URLs 153

Actions 153

Configuration | User Management | Groups | WebVPN Servers and URLs | Add or Modify 153

Name 154

Server Type 154

Remote Server 154

Add or Apply/Cancel 154

Configuration | User Management | Groups | WebVPN Port Forwarding 155

Forwarded Ports 156

Actions 156

Configuration | User Management | Groups | WebVPN Port Forwarding Add or Modify 156

Name 157

Local TCP Port 157

Remote Server 157

Remote TCP Port 158


The WebVPN Application Access Window 158

About the Hosts File 159

Configuration | User Management | Users 160

Current Users 161


Configuration | User Management | Users | Add or Modify 162

Using the Tabs 162

Identity Parameters Tab 163








xviVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

C H A P T E R 14 Policy Management 14-1

Configuration | Policy Management 14-2

Configuration | Policy Management | Access Hours 14-3

Current Access Hours 14-3


Configuration | Policy Management | Access Hours | Add or Modify 14-4

Name 14-5

Sunday - Saturday 14-5


Configuration | Policy Management | Traffic Management 14-6

Configuration | Policy Management | Traffic Management | Network Lists 14-7

Network List 14-8

Add / Modify / Copy / Delete 14-8

Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy 14-9

List Name 14-10

Network List 14-10

Generate Local List 14-10


Configuration | Policy Management | Traffic Management | Rules 14-11

Filter Rules 14-12

Add / Modify / Copy / Delete 14-14

Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy 14-15

Rule Name 14-17

Direction 14-17

Action 14-17

Protocol or Other 14-18

TCP Connection 14-19

Source Address 14-19

Destination Address 14-20

TCP/UDP Source Port 14-20

TCP/UDP Destination Port 14-21

ICMP Packet Type 14-22


Configuration | Policy Management | Traffic Management | Rules | Delete 14-23

Yes / No 14-23

Configuration | Policy Management | Traffic Management | Security Associations 14-24

IPSec SAs 14-26


xviiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify 14-29

SA Name 14-30

Inheritance 14-30

IPSec Parameters 14-30

Authentication Algorithm 14-30

Encryption Algorithm 14-31

Encapsulation Mode 14-31

Perfect Forward Secrecy 14-31

Lifetime Measurement 14-32

Data Lifetime 14-32

Time Lifetime 14-33

IKE Parameters 14-33

Connection Type 14-33

IKE Peer(s) 14-33

Negotiation Mode 14-34

Digital Certificate 14-34

Certificate Transmission 14-34

IKE Proposal 14-34


Configuration | Policy Management | Traffic Management | Security Associations | Delete 14-36

Yes / No 14-36

Configuration | Policy Management | Traffic Management | Filters 14-37

Filter List 14-38

Add Filter 14-39

Assign Rules to Filter 14-39

Modify Filter 14-39

Copy Filter 14-39

Delete Filter 14-39

Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy 14-40

Filter Name 14-41

Default Action 14-41

Source Routing 14-41

Fragments 14-41

Description 14-41


Configuration | Policy Management | Traffic Management | Assign Rules to Filter 14-43

Filter Name 14-44

Current Rules in Filter 14-44

Available Rules 14-44

xviiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

<< Add 14-44

<< Insert Above 14-44

>> Remove 14-44

Move Up / Move Down 14-45

Assign SA to Rule 14-45

Done 14-45

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule 14-46

Add SA to Rule on Filter: 14-46

IPSec SAs 14-47

Apply 14-47

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule 14-48

Change SA on Rule in Filter 14-48

IPSec SAs 14-48

Apply / Cancel 14-49

Configuration | Policy Management | Traffic Management | NAT 14-50

Configuration | Policy Management | Traffic Management | NAT | Enable 14-51

Interface NAT Rules Enabled 14-51

LAN-to-LAN Tunnel NAT Rule Enabled 14-51


Configuration | Policy Management | Traffic Management | NAT | Interface Rules 14-52

Interface NAT Rules 14-52


Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces 14-54

Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify 14-55

Interface 14-55

Private Address 14-55

Action 14-56


Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules 14-57

About LAN-to-LAN NAT 14-57

LAN-to-LAN NAT Rules 14-59



Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify 14-61

Configuration | Policy Management | Traffic Management | Bandwidth Policies 14-64


Configuration | Policy Management | Traffic Management | Add or Modify 14-65

xixVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Overview of Bandwidth Management 14-65

Bandwidth Policing 14-67

Configuring Bandwidth Management 14-67

Policy Name 14-70

Bandwidth Reservation 14-70

Policing 14-70

Configuration | Policy Management | Certificate Group Matching 14-72

Rules 14-73

Matching Policy 14-73

Configuration | Policy Management | Certificate Group Matching | Rules 14-74

Add/Modify Rule 14-74

Delete 14-74

Move Up 14-75

Move Down 14-75

Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify 14-76

Configuration | Policy Management | Certificate Group Matching | Policy 14-79

C H A P T E R 15 Tunneling and Security 15-1

Configuration | Tunneling and Security 15-2

Configuration | Tunneling and Security | PPTP 15-3

Enabled 15-4

Maximum Tunnel Idle Time 15-4

Packet Window Size 15-4

Limit Transmit to Window 15-4

Max. Tunnels 15-4

Max. Sessions/Tunnel 15-4

Packet Processing Delay 15-4

Acknowledgement Delay 15-5

Acknowledgement Timeout 15-5

Apply / Cancel 15-5

Configuration | Tunneling and Security | L2TP 15-6

Enabled 15-7

Maximum Tunnel Idle Time 15-7

Control Window Size 15-7

Control Retransmit Interval 15-7

Control Retransmit Limit 15-7

Max. Tunnels 15-7

Max. Sessions/Tunnel 15-8

Hello Interval 15-8

xxVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Apply / Cancel 15-8

Configuration | Tunneling and Security | IPSec 15-9

Configuration | Tunneling and Security | IPSec | LAN-to-LAN 15-11

Backup LAN-to-LANs 15-11

LAN-to-LAN Connection 15-14


Configuration | Tunneling and Security | IPSec | LAN-to-LAN | No Public Interfaces 15-15

Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify 15-16

Enable 15-18

Name 15-18

Interface 15-19

Connection Type 15-19

Peers 15-19

Digital Certificate 15-19

Certificate Transmission 15-20

Preshared Key 15-20

Authentication 15-20

Encryption 15-21

IKE Proposal 15-21

IPSec NAT-T 15-22

Bandwidth Policy 15-23

Routing 15-23

Local Network 15-23

Remote Network 15-24


Configuration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Local or Remote Network List 15-26

List Name 15-27

Network List 15-27

Generate Local List 15-27

Apply 15-27

Configuration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Done 15-28

OK 15-28

Configuration | Tunneling and Security | IPSec | IKE Proposals 15-29

Active Proposals 15-31

Inactive Proposals 15-31

<< Activate 15-31

>> Deactivate 15-32


Add 15-32

xxiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Modify 15-32

Copy 15-32

Delete 15-32

Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy 15-33

Proposal Name 15-33

Authentication Mode 15-34

Authentication Algorithm 15-34

Encryption Algorithm 15-34

Diffie-Hellman Group 15-35

Lifetime Measurement 15-35

Data Lifetime 15-36

Time Lifetime 15-36


Configuration | Tunneling and Security | IPSec | NAT Transparency 15-37

IPSec over TCP 15-37

TCP Port(s) 15-38

IPSec over NAT-T 15-38


Configuration | Tunneling and Security | IPSec | Alerts 15-40


Configuration | Tunneling and Security | SSH 15-41

Enable SSH 15-41

SSH Port 15-42

Maximum Sessions 15-42

Key Regeneration Period 15-42

Encryption Protocols 15-42

Enable SCP 15-42


Configuration | Tunneling and Security | SSL 15-43

HTTPS 15-43

Protocols 15-43

Configuration | Tunneling and Security | SSL | HTTPS 15-44

Enable HTTPS 15-45

HTTPS Port 15-45

Client Authentication 15-45


Configuration | Tunneling and Security | SSL | Protocols 15-46

Encryption Protocols 15-46

SSL Version 15-47

xxiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents


Configuration | Tunneling and Security | WebVPN 15-48

Configuration | Tunneling and Security |WebVPN | HTTP/HTTPS Proxy 15-49

HTTP Proxy 15-49

HTTP Proxy Port 15-49

HTTPS Proxy 15-49

HTTPS Proxy Port 15-50

Default Idle Timeout 15-50


Configuration | Tunneling and Security | WebVPN | Home Page 15-50

Title 15-51

Login Message 15-51

Title Bar Color 15-51

Title Bar Text 15-52

Secondary Bar Color 15-52

Secondary Bar Text 15-52

Sample Display 15-52


Configuration | Tunneling and Security | WebVPN | Logo 15-53

No Logo 15-53

Use Cisco’s logo 15-53

Upload a new logo 15-53


Configuration | Tunneling and Security | WebVPN | E-Mail Proxy 15-55

VPN Name Delimiter 15-56

Server Delimiter 15-56

E-Mail Protocol 15-56

VPN Concentrator Port 15-57

Default E-Mail Server 15-57

Authentication Required 15-57


Configuration | Tunneling and Security |WebVPN | Servers and URLs 15-60

Servers and URLs 15-60

Add 15-60

Modify 15-61

Delete 15-61

Configuration | Tunneling and Security | WebVPN | Servers and URLs |Add or Modify 15-61

Name 15-62

Server Type 15-62

xxiiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Remote Server 15-62


Configuration | Tunneling and Security |WebVPN | Port Forwarding 15-63

Forwarded Ports 15-64

Add 15-64

Modify 15-64

Delete 15-64

Configuration | Tunneling and Security | WebVPN | Port Forwarding |Add or Modify 15-65

Name 15-66

Local TCP Port 15-66

Remote Server 15-66

Remote TCP Port 15-67


The WebVPN Application Access Window 15-67

About the Hosts File 15-68

A P P E N D I X A Configuring an External Server for VPN Concentrator User Authorization A-1

Configuring an External LDAP Server A-1

Designing the VPN Concentrator LDAP Schema A-2

Defining the VPN Concentrator LDAP Schema A-4

Loading the Schema in the LDAP Server A-15

Defining User Permissions A-15

Configuring an External RADIUS Server A-17

A P P E N D I X B Configuring the VPN Concentrator for WebVPN 23

WebVPN Security Precautions 23

Using SSL to Access the VPN Concentrator 24

Using HTTPS for Management Sessions 24

Using HTTPS for WebVPN Sessions 24

Configuring SSL/TLS Encryption Protocols 25

Configuring Certificates for WebVPN 26

Using Certificates to Authenticate E-Mail Proxy Users 26

Using Certificates to Authenticate Clients 26

Checking the VPN Concentrator SSL Certificate 26

Setting WebVPN HTTP/HTTPS Proxy 26

Enabling Cookies on Browsers for WebVPN 26

Understanding WebVPN Global and Group Settings 27

Configuring Authentication and Authorization Globally 27

xxivVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

Configuring DNS Globally 28

Assigning WebVPN Users to Groups 28

Using the VPN Concentrator Manager to Configure WebVPN 28

Configuring E-mail 30

E-mail Proxies 30

Web E-Mail: Outlook Web Access for Exchange 2000 30

Configuring File Access 31

Configuring Access to Applications 31

Configuring Web Access 31

Using the WebVPN Capture Tool 31

WebVPN Capture Tool Output 31

Viewing and Using WebVPN Capture Tool Output 31

Using the WebVPN Capture Tool 32

A P P E N D I X C WebVPN End User Set-up C-1

Usernames and Passwords C-1

Security Tips C-2

Configuring Remote Systems to Use WebVPN Features C-2

Application Access: Recovering from hosts File Errors C-7

How WebVPN Uses the hosts File C-7

What Happens When You Stop Application Access Improperly C-7

What to Do C-8

E-mail Proxy C-10

Example Configuration C-10

Outlook Express on Windows 2000 C-12

Eudora 5.2 on Windows 2000 C-21

Netscape Mail v. 7 on Windows 2000 C-27

xxvVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Contents

xxviVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Preface

The VPN Concentrator provides an HTML-based graphic interface, called the VPN Concentrator Manager, that allows you to configure, administer, and monitor your device easily. The VPN Concentrator Manager has three sets of screens that correspond to these tasks: Configuration screens, Administration screens, and Monitoring screens.

VPN 3000 Series Concentrator Reference Volume I: Configuration is the first in the two volume VPN 3000 Series Concentrator Reference. Together, both volumes document all the screens of the VPN Concentrator Manager.

• VPN 3000 Series Concentrator Reference Volume I: Configuration explains how to start and use the VPN Concentrator Manager. It details the Configuration screens and explains how to configure your device beyond the minimal parameters you set during quick configuration.

• VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring provides guidelines for administering and monitoring the VPN Concentrator. It explains and defines all functions available in the Administration and Monitoring screens of the VPN Concentrator Manager. Appendixes to this manual provide troubleshooting guidance and explain how to access and use the alternate command-line interface.

This manual contains only configuration information. It contains no information about administering or monitoring the VPN Concentrator. For administration or monitoring information, refer to VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.

This manual also contains no information about installing the VPN Concentrator and initially configuring it. For information about set-up and initial configuration, refer to the VPN 3000 Series Concentrator Getting Started.

AudienceWe also assume you are an experienced system administrator or network administrator with appropriate education and training, who knows how to install, configure, and manage internetworking systems. However, virtual private networks and VPN devices might be new to you. You should be familiar with Windows system configuration and management, and you should be familiar with Microsoft Internet Explorer or Netscape Navigator or Communicator browsers.

PrerequisitesWe assume you have read the VPN 3000 Series Concentrator Getting Started manual, set up your VPN Concentrator, and followed the minimal configuration steps in quick configuration.

xxviiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

PrefaceOrganization

OrganizationThe chapters and sections of this guide correspond to the Configuration part of the VPN Concentrator Manager table of contents (the left frame of the Manager browser window) and are in the same order they appear there.

This guide is organized as follows:

Chapter Title Explains How To...

Chapter 1 Using the VPN Concentrator Manager

Log in, navigate, and use the VPN Concentrator Manager with a browser. It explains both HTTP and HTTPS browser connections, and how to install the SSL certificate for a secure (HTTPS) connection.

Chapter 2 Configuration Access the Configuration screens.

Chapter 3 Interfaces Configure the VPN Concentrator Ethernet interfaces, the system power supply, and voltage sensor alarms.

Chapter 4 System Configuration Access the System Configuration screens.

Chapter 5 Servers Configure the VPN Concentrator to communicate with and access servers for user authentication, user authorization, user accounting, converting host names to IP addresses (DNS), assigning client IP addresses (DHCP), Zone Labs Integrity Firewall, NetBIOS Name, and network time synchronization (NTP).

Chapter 6 Address Management Configure the client IP addresses available in your private network addressing scheme to let the client function as a VPN tunnel endpoint.

Chapter 7 IP Routing Configure static routes, default gateways, and OSPF in the VPN Concentrator IP routing subsystem; DHCP global parameters; and redundant systems using VRRP.

Chapter 8 Management Protocols Configure built-in VPN Concentrator servers that provide management functions: FTP, HTTP, TFTP, Telnet, SNMP, and XML.

Chapter 9 Events Configure the system to handle events such as alarms, traps, error conditions, network problems, task completion, or status changes. You can specify several ways to record and send event messages.

Chapter 10 General Configure the system identification, date, time, maximum session limit, and global authentication parameters.

Chapter 11 Client Update Configure the VPN Concentrator to manage, from a central location, distribution of software and firmware updates to VPN Clients and VPN 3002 hardware clients deployed in diverse locations.

xxviiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

PrefaceOrganization

Note This guide is the first volume of the complete VPN Concentrator Manager reference. It documents only configuration tasks. For information on administering or monitoring your VPN Concentrator, refer to the VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.

Chapter 12 Load Balancing Cisco VPN Clients

Configure two or more VPN Concentrators to share their remote access session loads.

Chapter 13 User Management Configure groups and users with attributes that determine their access to and use of the VPN. Configuring groups and users correctly is essential for managing the security of your VPN.

Chapter 14 Policy Management Configure network lists, filters, rules, and Security Associations, all of which are policies that govern what data traffic can flow through the VPN. You should develop and configure policies first, since you apply them to groups, users, and interfaces. This chapter also describes NAT configuration.

Chapter 15 Tunneling and Security Configure system-wide parameters for PPTP and L2TP, IPSec LAN-to-LAN connections; IKE proposals for IPSec; SSH, SSL, and WebVPN connections.

Appendix A Configuring an External Server for VPN Concentrator User Authorization

Configure an external LDAP or RADIUS authentication server to interoperate with the VPN Concentrator.

Appendix B Configuring the VPN Concentrator for WebVPN

Appendix C WebVPN End User Set-up Set up configurations for WebVPN end users.

Chapter Title Explains How To...

xxixVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

PrefaceRelated Documentation

Related DocumentationRefer to the following documents for further information about Cisco VPN applications and products.

VPN 3000 Series Concentrator DocumentationThe VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring provides guidelines for administering and monitoring the VPN Concentrator. It explains and defines all functions available in the Administration and Monitoring screens. Appendixes to this manual provide troubleshooting guidance and explain how to access and use the alternate command-line interface.

The VPN Concentrator Manager also includes online help that you can access by clicking the Help icon on the toolbar in the Manager window.

The VPN 3000 Series Concentrator Getting Started manual takes you from unpacking and installing the VPN 3000 Series Concentrator, through configuring the minimal parameters to make it operational (called quick configuration).

The short document Upgrading Memory to 512 MB in the VPN 3000 Series Concentrator explains how to upgrade the VPN Concentrator memory. It also explains how to upgrade the VPN Concentrator software image and bootcode to versions that support the increased memory.

VPN Client DocumentationThe Cisco VPN Client User Guide for Windows, the Cisco VPN Client User Guide for Linux and Solaris, and the Cisco VPN Client User Guide for Mac OS X explain how to install, configure, and use the VPN Client. The VPN Client lets a remote client use the IPSec tunneling protocol for secure connection to a private network through the VPN Concentrator.

The VPN Client Administrator Guide tells how to

• configure a VPN 3000 Concentrator for remote user connections using the VPN Client

• automate a remote user profile

• customize VPN Client software

• use the VPN Client command-line interface

• get troubleshooting information.

VPN 3002 Hardware Client DocumentationThe VPN 3002 Hardware Client Reference provides details on all the functions available in the VPN 3002 Hardware Client Manager. This manual is online only.

The VPN 3002 Hardware Client Getting Started manual provides information to take you from unpacking and installing the VPN 3002, through configuring the minimal parameters to make it operational (called Quick Configuration). This manual is available only online.

The VPN 3002 Hardware Client Quick Start Card summarizes the information for quick configuration. This quick reference card is provided with the VPN 3002 and is also available online.

The VPN 3002 Hardware Client Basic Information sticky label summarizes information for quick configuration. It is provided with the VPN 3002 and you can also print it from the online version; you can affix the label to the VPN 3002.

xxxVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

PrefaceRelated Documentation

Documentation on VPN Software Distribution CDsThe VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the VPN 3000 Concentrator software distribution CD-ROM in PDF format. The VPN Client documentation is included on the VPN Client software distribution CD-ROM, also in PDF format. To view the latest versions on the Cisco web site, click the Support icon on the toolbar at the top of the VPN Concentrator Manager, Hardware Client Manager, or Client window. To open the documentation, you need Acrobat Reader 3.0 or later; version 4.5 is included on the Cisco VPN 3000 Concentrator software distribution CD-ROM and on the VPN Client software distribution CD-ROM.

Other ReferencesOther useful references include:

• Cisco Systems, Dictionary of Internetworking Terms and Acronyms. Cisco Press: 2001.

• Virtual Private Networking: An Overview. Microsoft Corporation: 1999. (Available from Microsoft website.)

• www.ietf.org for Internet Engineering Task Force (IETF) Working Group drafts on IP Security Protocol (IPSec).

• www.whatis.com, a web reference site with definitions for computer, networking, and data communication terms.

xxxiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

PrefaceConventions

ConventionsThis document uses the following conventions:

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication.

Tips use the following conventions:

Tips Means the following are useful tips.

Cautions use the following conventions:

Caution Means reader be careful. Cautions alert you to actions or conditions that could result in equipment damage or loss of data.

Warnings use the following conventions:

Warning This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, you must be aware of the hazards involved with electrical circuitry and familiar with standard practices for preventing accidents.

Convention Description

boldface font Commands and keywords are in boldface.

italic font Arguments for which you supply values are in italics.

screen font Terminal sessions and information the system displays are in screen font.

boldface screen font

Information you must enter is in boldface screen font.

^ The symbol ^ represents the key labeled Control. For example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

xxxiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

PrefaceConventions

Data FormatsAs you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise:

Type of Data Format

IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34); as the example indicates, you can omit leading zeros in a byte position.

Subnet Masks and Wildcard Masks

Subnet masks use 4-byte dotted decimal notation (for example, 255.255.255.0). Wildcard masks use the same notation (for example, 0.0.0.255); as the example illustrates, you can omit leading zeros in a byte position.

MAC Addresses MAC addresses use 6-byte hexadecimal notation (for example, 00.10.5A.1F.4F.07).

Host names Host names use legitimate network host name or end-system name notation (for example, VPN01). Spaces are not allowed. A host name must uniquely identify a specific system on a network.

Text Strings Text strings use upper- and lower-case alphanumeric characters. Most text strings are case-sensitive (for example, simon and Simon represent different usernames).

Filenames Filenames on the VPN Concentrator follow the DOS 8.3 naming convention: a maximum of eight characters for the name, plus a maximum of three characters for an extension. For example, LOG00007.TXT is a legitimate filename. The VPN Concentrator always stores filenames in uppercase.

Port Numbers Port numbers use decimal numbers from 0 to 65535. No commas or spaces are permitted in a number.

xxxiiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

PrefaceObtaining Documentation

Obtaining DocumentationCisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.comYou can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:


International Cisco web sites can be accessed from this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering DocumentationYou can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation FeedbackYou can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can e-mail your comments to [email protected].

You can submit your comments by mail by using the response card behind the front cover of your document or by writing to the following address:

Cisco SystemsAttn: Customer Document Ordering170 West Tasman DriveSan Jose, CA 95134-9883

We appreciate your comments.

xxxivVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

http://www.cisco.com/univercd/home/home.htm


http://www.cisco.com/public/countries_languages.shtml

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

http://www.cisco.com/en/US/partner/ordering/index.shtml

PrefaceObtaining Technical Assistance

Obtaining Technical AssistanceCisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.

Cisco.comCisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com provides a broad range of features and services to help you with these tasks:

• Streamline business processes and improve productivity

• Resolve technical issues with online support

• Download and test software packages

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certification programs

To obtain customized information and service, you can self-register on Cisco.com at this URL:


xxxvVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01


PrefaceObtaining Technical Assistance

Technical Assistance CenterThe Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The avenue of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.

We categorize Cisco TAC inquiries according to urgency:

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC website, go to this URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

http://tools.cisco.com/RPF/register/register.do

If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:

http://www.cisco.com/en/US/support/index.html

If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC website so that you can describe the situation in your own words and attach any necessary files.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.

xxxviVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01


http://www.cisco.com/tac

http://tools.cisco.com/RPF/register/register.do

http://www.cisco.com/en/US/support/index.html

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

PrefaceObtaining Additional Publications and Information

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest information about the field of networking. You can access Packet magazine at this URL:

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html

• iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers with the latest information about the networking industry. You can access iQ Magazine at this URL:

http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in the design, development, and operation of public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

• Training—Cisco offers world-class networking training, with current offerings in network training listed at this URL:

http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html

xxxviiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

http://www.ciscopress.com

http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html

http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html

PrefaceObtaining Additional Publications and Information

xxxviiiVPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

C

VPN 3000 Series Concentrato78-15731-01

H A P T E R 1
Using the VPN Concentrator Manager
The VPN Concentrator Manager (also known as the Manager) is an HTML-based interface that lets you configure, administer, monitor, and manage the VPN 3000 Series Concentrator with a standard web browser. To use it, you need only to connect to the VPN Concentrator using a PC and browser on the same private network as the VPN Concentrator.

The Manager uses the standard web client/server protocol, HTTP (Hypertext Transfer Protocol), which is a cleartext protocol. However, you can also use the Manager in a secure, encrypted HTTP connection over SSL (Secure Sockets Layer) protocol, which is known as HTTPS.

• To use a cleartext HTTP connection, see the Connecting to the VPN Concentrator Using HTTP, page 1-4.

• To use HTTP over SSL (HTTPS) with the Manager the first time, connect to the Manager using HTTP, and install an SSL certificate in the browser; see the Installing the SSL Certificate in Your Browser, page 1-5.

• Once the SSL certificate is installed, you can connect directly using HTTPS; see the Connecting to the VPN Concentrator Using HTTPS, page 1-20.

1-1r Reference Volume I: Configuration

Chapter 1 Using the VPN Concentrator ManagerBrowser Requirements

Browser RequirementsThe VPN Concentrator Manager requires one of the following browsers:

• Microsoft Internet Explorer version 4.0 or higher

• Netscape Navigator version 4.5-4.7, 6.0, or 7.0. WebVPN does not work with versions 4.x or 6.x.

• Mozilla 1.1

For best results, we recommend Internet Explorer. Whatever browser and version you use, install the latest patches and service packs for it.

JavaScript and Cookies

Be sure JavaScript and Cookies are enabled in the browser. Check these settings.

Browser JavaScript Cookies

Internet Explorer 4.0 1. On the View menu, choose Internet Options.

2. On the Security tab, click Custom (for expert users) then click Settings.

3. In the Security Settings window, scroll down to Scripting.

4. Click Enable under Scripting of Java applets.

5. Click Enable under Active scripting.

1. On the View menu, choose Internet Options.

2. On the Advanced tab, scroll down to Security then Cookies.

3. Click Always accept cookies.

Internet Explorer 5.0 and 5.5

1. On the Tools menu, choose Internet Options.

2. On the Security tab, click Custom Level.






3. In the Security Settings window, scroll down to Cookies.

4. Click Enable under Allow cookies that are stored on your computer.

5. Click Enable under Allow per-session cookies (not stored).

Internet Explorer 6.0 1. On the Tools menu, choose Internet Options.






2. On the Privacy tab, set the slider at or below Medium High.

Netscape Navigator 4.5-4.7

1. On the Edit menu, choose Preferences.

2. On the Advanced screen, check the Enable JavaScript check box.


2. On the Advanced screen, click one of the Accept... cookies choices, and do not check the Warn me before accepting a cookie check box.

1-2VPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Chapter 1 Using the VPN Concentrator ManagerBrowser Requirements

Navigation Toolbar

Do not use the browser navigation toolbar buttons Back, Forward, or Refresh/Reload with the VPN Concentrator Manager unless instructed to do so. To protect access security, clicking Refresh /Reload automatically logs out the Manager session. Clicking Back or Forward might result in outdated Manager screens with incorrect data or settings being displayed.

We recommend that you hide the browser navigation toolbar to prevent mistakes from occurring during use of the VPN Concentrator Manager.

Recommended PC Monitor/Display Settings

For easiest use, we recommend that you use the following settings on your monitor or display:

• Desktop area = 1024 x 768 pixels or greater. The minimum desktop area is 800 x 600 pixels.

• Color palette = 256 colors or more.

Netscape Navigator 4.x Browsers

If you are running the VPN Concentrator Manager in a Netscape Navigator 4.x browser, you might encounter the following problems:

• When you edit group or user attributes on the Configuration | User Management | Groups or Users screens, your changes might not be saved. The Inherit check box does not clear automatically, which causes your changes to revert to the inherited value of the group or Base Group. Therefore to save your changes, you must manually clear the Inherit check box.

• In some screens, when you resize your browser window, you see the Action buttons duplicated (one on top of the other).

For best results, use Internet Explorer instead of Netscape Navigator.

Netscape Navigator 6.0


2. On the Advanced screen, check the Enable JavaScript for Navigator check box.


2. Under the Advanced category, choose Cookies.

3. On the Cookies screen, choose Enable All Cookies. Do not check the Warn me before storing a cookie check box.

Netscape Navigator7.0 and Mozilla 1.1


2. Under the Advanced category, choose Scripts & Plug-ins.

3. Check the Navigator check box.

4. Check all Allow Web pages check boxes.


2. Under the Privacy & Security category, choose Cookies.

3. Choose Enable All Cookies.

Browser JavaScript Cookies


78-15731-01

Chapter 1 Using the VPN Concentrator ManagerConnecting to the VPN Concentrator Using HTTP

Connecting to the VPN Concentrator Using HTTPWhen your system administration tasks and network permit a cleartext connection between the VPN Concentrator and your browser, you can use the standard HTTP protocol to connect to the system.

Even if you plan to use HTTPS, you must first use HTTP to install an SSL certificate in your browser.

Step 1 Bring up the browser.

Step 2 In the browser Address or Location field, enter the VPN Concentrator Ethernet 1 (Private) interface IP address, for example: 10.10.99.50. The browser automatically assumes and supplies an http:// prefix.

The browser displays the VPN Concentrator Manager login screen. (See Figure 1-1.)

Figure 1-1 VPN Concentrator Manager Login Screen

To continue using HTTP for the whole session, skip to Logging into the VPN Concentrator Manager, page 1-21.


78-15731-01

Chapter 1 Using the VPN Concentrator ManagerInstalling the SSL Certificate in Your Browser

Installing the SSL Certificate in Your BrowserThe VPN Concentrator Manager provides the option of using HTTP over SSL with the browser. SSL creates a secure session between your browser (client) and the VPN Concentrator (server). This protocol is known as HTTPS, and uses the https:// prefix to connect to the server. The browser first authenticates the server, then encrypts all data passed during the session.

HTTPS is often confused with a similar protocol, S-HTTP (Secure HTTP), which encrypts only HTTP application-level data. SSL encrypts all data between client and server at the IP socket level, and is thus more secure.

SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots, and this certificate must be installed in the browser. Once the certificate is installed, you can connect using HTTPS. You need to install the certificate from a given VPN Concentrator only once.

Managing the VPN Concentrator is the same with or without SSL. Manager screens might take slightly longer to load with SSL because of encryption/decryption processing. When connected via SSL, the browser shows a locked-padlock icon on its status bar. Both Microsoft Internet Explorer and Netscape Navigator support SSL.

Follow these steps to install and use the SSL certificate for the first time. We provide separate instructions for Internet Explorer and Netscape Navigator when they diverge.

Step 1 Connect to the VPN Concentrator using HTTP as noted in the preceding text.

Step 2 On the login screen, click the Install SSL Certificate link.

The Manager displays the Install SSL Certificate screen (see Figure 1-2) and automatically begins to download and install its SSL certificate in your browser.

Figure 1-2 Install SSL Certificate Screen


78-15731-01


At this point in the process, the installation sequence differs depending on the browser being used.

• For Internet Explorer, proceed to the next section, Installing the SSL Certificate with Internet Explorer.

• For Netscape Navigator, see the Installing the SSL Certificate with Netscape sectionpage -13.

Installing the SSL Certificate with Internet Explorer

Note This section describes SSL certificate installation using Microsoft Internet Explorer 5.0. With other versions of Internet Explorer, some dialog boxes might differ but the process is similar.

You need to install the SSL certificate from a given VPN Concentrator only once. If you do reinstall it, the browser repeats all these steps each time.

A few seconds after the VPN Concentrator Manager SSL screen appears, Internet Explorer displays a File Download dialog box that identifies the certificate filename and source, and asks whether to open or save the certificate. To immediately install the certificate in the browser, click the Open this file from its current location radio button. If you save the file, the browser prompts for a location; you must then double-click on the file to install it.

Figure 1-3 Internet Explorer File Download Dialog Box


78-15731-01


Step 1 Click the Open this file from its current location radio button, then click OK.

The browser displays the Certificate dialog box with information about the certificate. (See Figure 1-4.) You must now install the certificate.

Figure 1-4 Internet Explorer Certificate Dialog Box

Step 2 Click Install Certificate.

The browser starts a wizard to install the certificate. (See Figure 1-5.) In Internet Explorer, these certificates are stored in the “certificates store.”

Figure 1-5 Internet Explorer Certificate Manager Import Wizard Dialog Box


78-15731-01


Step 3 Click Next to continue.

The wizard opens the next dialog box; you are asked to choose a certificate store. (See Figure 1-6.)


Step 4 Click Automatically select the certificate store, then click Next.

The wizard opens a dialog box to complete the installation. (See Figure 1-7.)



78-15731-01


Step 5 Click Finish.

The wizard opens the Root Certificate Store dialog box; you are asked to confirm the installation. (See Figure 1-8.)

Figure 1-8 Internet Explorer Root Certificate Store Dialog Box

Step 6 To install the certificate, click Yes. The dialog box then closes, and a final wizard confirmation dialog box opens. (See Figure 1-9.)

Figure 1-9 Internet Explorer Certificate Manager Import Wizard Final Dialog Box

Step 7 Click OK to close this dialog box, and click OK on the Certificate dialog box to close it. (See Figure 1-4.)

You can now connect to the VPN Concentrator using HTTP over SSL (HTTPS).

Step 8 On the Manager SSL screen (see Figure 1-2), click the link that says, After installing the SSL certificate, click here to connect to the VPN 3000 Concentrator Series using SSL.

Depending on how your browser is configured, you might see a Security Alert dialog box. (See Figure 1-10.)

Figure 1-10 Internet Explorer Security Alert Dialog Box


78-15731-01


Step 9 Click OK.

The VPN Concentrator displays the HTTPS version of the Manager login screen. (See Figure 1-11.)

Figure 1-11 VPN Concentrator Manager Login Screen Using HTTPS (Internet Explorer)

The browser maintains the HTTPS state until you close the browser or access an insecure site; in the latter case you might see a Security Alert screen.

Step 10 Proceed to Logging into the VPN Concentrator Manager, page 1-21 to log in as usual.


78-15731-01


Viewing Certificates with Internet Explorer

Examine certificates stored in Internet Explorer using either of the following methods.

Note The VPN Concentrator SSL certificate name is its Ethernet 1 (Private) IP address.

To View Details of the Certificate in Use

Step 1 Note the padlock icon on the browser status bar (at the bottom of the browser) in Figure 1-11. Double-click on the icon.

The browser opens a Properties screen showing details of the specific certificate in use. (See Figure 1-12.)

Figure 1-12 Internet Explorer 4.0 Certificate Properties Screen

Step 2 Select any one of the Field items to see details.

Step 3 Click Close when finished.


78-15731-01


To View All Stored Certificates (Internet Explorer 4.0 Only)

Note These steps apply only to Internet Explorer 4.0. If you are using Internet Explorer 5.0, skip to the next section.

Step 1 Click the browser View menu. Choose Internet Options.

Step 2 Click the Content tab, then click Authorities in the Certificates section.

The browser displays the Certificate Authorities screen. (See Figure 1-13.)

Figure 1-13 Internet Explorer 4.0 Certificate Authorities Screen

Step 3 Select a certificate. Click View Certificate.

The browser displays the Certificate Properties screen. (See Figure 1-12.)

To View All Stored Certificates (Internet Explorer 5.0 Only)

Note These steps apply only to Internet Explorer 5.0. If you are using an earlier version of Internet Explorer, follow the steps in the previous section.

Step 1 Click the browser Tools menu. Choose Internet Options.

The browser displays the Internet Options screen.

Step 2 Click the Content tab. In the Certificates section, click Certificates... .

The browser displays the Certificate Manager screen.

Step 3 In the Certificate Manager screen, click the Trusted Root Certification Authorities tab. Select a certificate, then click View Certificate.

The browser displays the Certificate Properties screen. (See Figure 1-12.)


78-15731-01


Installing the SSL Certificate with NetscapeThis section describes SSL certificate installation using Netscape Navigator/Communicator 4.5.

Reinstallation

You need to install the SSL certificate from a given VPN Concentrator only once. If you attempt to reinstall it, Netscape displays the note shown in Figure 1-14. Click OK, and connect to the VPN Concentrator using SSL (see Step 8 on page -17).

Figure 1-14 Netscape Reinstallation Note

First-time Installation

The instructions below follow from Step 2page -5 and describe first-time certificate installation.

A few seconds after the VPN Concentrator Manager SSL screen appears, Netscape displays a New Certificate Authority screen. (See Figure 1-15.)

Figure 1-15 Netscape New Certificate Authority Screen 1


78-15731-01


Step 1 Click Next> to proceed.

Netscape displays the next New Certificate Authority screen, which further explains the process. (See Figure 1-16.)



Netscape displays the next New Certificate Authority screen, which lets you examine details of the VPN Concentrator SSL certificate. (See Figure 1-17.)



78-15731-01



Netscape displays the next New Certificate Authority screen, with choices for using the certificate. No choices are checked by default. (See Figure 1-18.)


Step 4 You must check at least the first box, Accept this Certificate Authority for Certifying network sites. Click Next> to proceed.

Netscape displays the next New Certificate Authority screen, which lets you choose to have the browser warn you about sending data to the VPN Concentrator. (See Figure 1-19.)



78-15731-01


Step 5 Checking the box is optional.

Note If the box is checked, you will get a warning whenever you apply settings on a Manager screen. It is probably less intrusive to manage the VPN Concentrator without those warnings.


Netscape displays the final New Certificate Authority screen, which asks you to provide a nickname for the certificate. (See Figure 1-20.)


Step 7 In the Nickname field, enter a descriptive name for this certificate. “Nickname” is something of a misnomer. We suggest you use a clearly descriptive name such as Cisco VPN Concentrator 10.10.147.2. This name appears in the list of installed certificates; see the Viewing Certificates with Netscape section page -18.

Click Finish.

You can now connect to the VPN Concentrator using HTTP over SSL (HTTPS).


78-15731-01


Step 8 On the Manager SSL screen (see Figure 1-2), click the link that says, After installing the SSL certificate, click here to connect to the VPN Concentrator using SSL.

Depending on how your browser is configured, you might see a Security Information Alert dialog box. (See Figure 1-21.)

Figure 1-21 Netscape Security Information Alert Dialog Box

Step 9 Click Continue.

The VPN Concentrator displays the HTTPS version of the Manager login screen. (See Figure 1-22.)

Figure 1-22 VPN Concentrator Manager Login Screen Using HTTPS (Netscape)

The browser maintains the HTTPS state until you close the browser or access an insecure site; in the latter case, you might see a Security Information Alert dialog box.

Proceed to Logging into the VPN Concentrator Manager, page 1-21 to log in.


78-15731-01


Viewing Certificates with Netscape

Examine certificates stored in Netscape Navigator/Communicator 4.5 using either of the following methods.

To View Details of the Certificate in Use

Step 1 Note the locked-padlock icon on the bottom status bar in Figure 1-22. If you click the icon, Netscape opens a Security Info window. (See Figure 1-23.)

Note You can also open this window by clicking Security on the Navigator Toolbar at the top of the Netscape window.

Figure 1-23 Netscape Security Info Window


78-15731-01


Step 2 Click the View Certificate button to see details of the specific certificate in use. The View Certificates screen opens. (See Figure 1-24.)

Figure 1-24 Netscape View Certificate Screen

Step 3 Click OK when finished.

To View All Stored Certificates

Step 1 In the Security Info window (see Figure 1-25), select Certificates, then Signers. The “nickname” you entered in Step 7 on page 1-16 identifies the VPN Concentrator SSL certificate.

Figure 1-25 Netscape Certificates Signers List

Step 2 Select a certificate, then click Edit, Verify, or Delete. Click OK when finished.


78-15731-01

Chapter 1 Using the VPN Concentrator ManagerConnecting to the VPN Concentrator Using HTTPS

Connecting to the VPN Concentrator Using HTTPSOnce you have installed the VPN Concentrator SSL certificate in the browser, you can connect directly using HTTPS:

Step 1 Bring up the browser.

Step 2 In the browser Address or Location field, enter https:// plus the VPN Concentrator private interface IP address or hostname, plus /admin; for example, https://10.10.147.2/admin.

The browser displays the VPN Concentrator Manager HTTPS login screen. (See Figure 1-26.)

Figure 1-26 VPN Concentrator Manager HTTPS Login Screen

A locked-padlock icon on the browser status bar indicates an HTTPS session. This login screen does not include the Install SSL Certificate link.


78-15731-01

Chapter 1 Using the VPN Concentrator ManagerLogging into the VPN Concentrator Manager

Logging into the VPN Concentrator ManagerThe procedure for logging into the VPN Concentrator Manager is the same for both types of connections, cleartext HTTP and secure HTTPS.

Entries are case-sensitive. With Microsoft Internet Explorer, you can select the Tab key to move from field to field; other browsers might work differently. If you make a mistake, click the Clear button and start over.

The following steps use the factory-supplied default entries. If you have changed them, use your entries.

Step 1 Click in the Login field and type admin. (Do not press Enter.)

Step 2 Click in the Password field and type admin. (The field shows *****.)

Step 3 Click the Login button.

The VPN Concentrator Manager displays the main welcome screen. (See Figure 1-27.)

Figure 1-27 Manager Main Welcome Screen

From here you can navigate the Manager using either the table of contents in the left frame, or the Manager toolbar in the top frame.


78-15731-01

Chapter 1 Using the VPN Concentrator ManagerConfiguring HTTP, HTTPS, and SSL Parameters

Configuring HTTP, HTTPS, and SSL Parameters HTTP, HTTPS, and SSL are enabled by default on the VPN Concentrator, and they are configured with recommended parameters that should suit most administration tasks and security requirements.

To configure HTTP parameters, see the Configuration | System | Management Protocols | HTTP screen.

To configure SSL and HTTPS parameters, see the Configuration | Tunneling and Security | SSL screen.

For additional security, by default these parameters are accessible only from the private interface or through established VPN tunnels.

Organization of the VPN Concentrator ManagerThe VPN Concentrator Manager consists of three major sections and many subsections:

• Configuration: Setting all the parameters for the VPN Concentrator that govern its use and functionality as a VPN device:

– Interfaces: Ethernet and power-supply interface parameters.

– System: Parameters for system-wide functions such as server access, address management, IP routing, built-in management servers, event handling, and system identification.

– User Management: Attributes for groups and users that determine their access to and use of the VPN.

– Policy Management: Policies that control access times and data traffic through the VPN via filters, rules, and IPSec Security Associations.

– Tunneling and Security: Attributes for PPTP, L2TP, IPSec, SSH, SSL, and WebVPN.

• Administration: Managing higher-level functions that keep the VPN Concentrator operational and secure, such as who is allowed to configure the system, what software runs on it, and managing its digital certificates.

• Monitoring: Viewing routing tables, event logs, system LEDs and status, data on user sessions, and statistics for protocols and system functions.

This manual covers configuration. For information on administration or monitoring, refer to VPN 3000 Concentrator Series Reference Volume II: Administration and Monitoring. For Quick Configuration, refer to the VPN 3000 Concentrator Series Getting Started manual.

Navigating the VPN Concentrator ManagerYour primary tool for navigating the VPN Concentrator Manager is the table of contents in the left frame.


78-15731-01

C


H A P T E R 2
Configuration
Configuring the VPN Concentrator means setting all the parameters that govern its use and functionality as a VPN device.

Cisco supplies default parameters that cover typical installations and uses; once you supply minimal parameters in Quick Configuration, the system is operational. To modify the system to meet your needs and to provide an appropriate level of system security, you should configure the system in detail.

Configuration

Step 1 In the Concentrator Manager table of contents, click Configuration. The Configuration screen opens.

Figure 2-1 Configuration Screen


Chapter 2 ConfigurationConfiguration

The Configuration section of the Manager lets you configure all VPN Concentrator features and functions. For each section of the Manager, see the applicable chapter in this manual.

• Interfaces: Parameters specific to the Ethernet interfaces: public, private, and external. Power supply and voltage sensor alarms.

• System: Parameters for system-wide functions: server access, address assignment, IP routing, built-in management servers, system events, and system identification.

• User Management: Attributes for groups and users that determine their access to and use of the VPN.

• Policy Management: Policies that control data traffic through the VPN via filters, rules, and IPSec Security Associations; network lists; access times; and NAT.

• Tunneling and Security: Attributes for PPTP, L2TP, IPSec, SSH, SSL, and WebVPN.


78-15731-01

C


H A P T E R 3
Interfaces
The Interfaces section of the VPN 3000 Concentrator Series Manager applies primarily to Ethernet network interfaces. In this section, you configure functions that are interface-specific, rather than system-wide. There is also a screen to configure power-supply and voltage-sensor alarms.

Typically, you configure at least two network interfaces for the VPN Concentrator to operate as a VPN device: usually the Ethernet 1 (Private) and the Ethernet 2 (Public) interfaces. If you used Quick Configuration as described in the VPN 3000 Series Concentrator Getting Started manual, the system supplied many default parameters for the interfaces. In the Interfaces section, you can customize the configuration.

The VPN Concentrator uses filters to control, or govern, data traffic passing through the system (see Configuration | Policy Management | Traffic Management). You apply filters both to interfaces and to groups and users. Group and user filters govern tunneled group and user data traffic; interface filters govern all data traffic.

Network interfaces usually connect to a router that routes data traffic to other networks. The VPN Concentrator includes IP routing functions: static routes, RIP (Routing Information Protocol), and OSPF (Open Shortest Path First). You configure RIP and interface-specific OSPF in the Interfaces section. You configure static routes, the default gateway, and system-wide OSPF in the IP Router section (see the Configuration | System | IP Routing screens).

RIP and OSPF are routing protocols that routers use to send messages to other routers to determine network connectivity, status, and optimum paths for sending data traffic. The VPN Concentrator supports RIP versions 1 and 2, and OSPF version 2. You can enable both RIP and OSPF on an interface.

Filter settings override RIP and OSPF settings on an interface; therefore, be sure settings in filter rules are consistent with RIP and OSPF use. For example, if you intend to use RIP, be sure you apply a filter rule that forwards TCP/UDP packets with the RIP port configured.


Chapter 3 InterfacesConfiguration | Interfaces

Configuration | InterfacesThis section lets you configure the three VPN Concentrator Ethernet interface modules. You can also configure alarm thresholds for the power-supply modules.

Model 3005 comes with two Ethernet interfaces. Models 3015 through 3080 come with three Ethernet interfaces.

• Ethernet 1 (Private) is the interface to your private network (internal LAN).

• Ethernet 2 (Public) is the interface to the public network.

• Ethernet 3 (External) is the interface to an additional LAN (Models 3015 through 3080 only).

Configuring an Ethernet interface includes supplying an IP address, applying a traffic-management filter, setting the speed and transmission modes, and configuring RIP and OSPF routing protocols.

Note Interface settings take effect as soon as you apply them. If the system is in active use, changes might affect tunnel traffic.

The table shows all installed interfaces and their status.

Figure 3-1 Configuration | Interfaces Screen (Model 3005)


78-15731-01


Figure 3-2 Configuration | Interfaces Screen (Models 3015 through 3080)

To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area.

RefreshTo update the screen contents, click the Refresh button. The date and time above this reminder indicate when the screen was last updated.

InterfaceThe VPN Concentrator interface installed in the system. To configure an interface, click the appropriate link.


78-15731-01


Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External)

To configure Ethernet interface parameters, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image. See Configuration | Interfaces | Ethernet 1 2 3.

[Renew | Release]

This field appears under Ethernet 1, 2, or 3 if DHCP Client is enabled for that interface.

Renew: Renews the DHCP client lease for the interface.

Release: Releases the DHCP client lease for the interface.

DNS Server(s)

This field displays the IP addresses of up to three configured DNS servers.

To view or edit DNS server information, click DNS Server. The Configuration | System | Servers | DNS window appears.

DNS Domain Name

The registered domain in which the VPN Concentrator is located, for example: cisco.com.

To view or edit DNS Domain Name information, click DNS Domain Name. The Configuration | System | Servers | DNS window appears.

StatusThe operational status of this interface.

• Up = (Green) Configured, enabled, and operational; ready to pass data traffic.

• Down = (Red) Configured but disabled or disconnected.

• Testing = In test mode; no regular data traffic can pass.

• Dormant = (Red) Configured and enabled but waiting for an external action, such as an incoming connection.

• Not Present = (Red) Missing hardware components.

• Lower Layer Down = (Red) Not operational because a lower-layer interface is down.

• Unknown = (Red) Not configured or not able to determine status.

• Not Configured = Present but not configured.

• Waiting for DHCP = DHCP is enabled, but the VPN Concentrator has not received an IP address.

• Lease expires in... (hh:mm:ss) = If DHCP Client is enabled on any interface, the amount of time remaining on the lease appears here. You can also view this information on the Configuration | Interfaces | Ethernet 1 2 3 screens.

IP AddressThe IP address configured on this interface.


78-15731-01


Subnet MaskThe subnet mask configured on this interface.

MAC AddressThe unique hardware MAC (Medium Access Control) address for this interface, displayed in 6-byte hexadecimal notation.

Default GatewayThis field displays the IP address of the default gateway for the subnet associated with this interface.

To view or edit default gateway information, click Default Gateway. The Configuration | System | IP Routing | Default Gateways window displays.

When you are not using DHCP to obtain a default gateway, you configure a default gateway manually. If DHCP client on the Ethernet 2 (Public) interface is enabled, the default gateway is automatically entered in the routing table, and not in the Configuration | System | IP Routing | Default Gateways screen.

When you configure a default gateway manually, the system automatically removes the DHCP-obtained default gateway from the routing table. To reverse this operation, renew the DHCP lease for the Ethernet 2 (Public) interface.

Power SuppliesTo configure alarm thresholds on system power supplies, click the appropriate highlighted link or click in a highlighted power-supply module in the back-panel image and see Configuration | Interfaces | Power.

Ethernet 1 (Private), Ethernet 2 (Public), Ethernet 3 (External) Module in Back-Panel Image

To configure Ethernet interface parameters, click the appropriate highlighted Ethernet module in the back-panel image and see Configuration | Interfaces | Ethernet 1 2 3.


78-15731-01

Chapter 3 InterfacesConfiguration | Interfaces | Power

Configuration | Interfaces | PowerThis screen lets you configure alarm thresholds for voltages in the system power supplies, CPU, and main circuit board. You set high and low thresholds for the voltages. (For recommended thresholds, see Table 3-1.) When the system detects a voltage outside a threshold value, it generates a HARDWAREMON (hardware monitoring) event. (See Configuration | System | Events.) If a power supply is faulty, the appropriate Power Supply LED on the front panel is amber.

Warning If a voltage generates an alarm, shut down the system in an orderly way and contact Cisco support. Operating the system with out-of-range voltages, especially if they exceed the high threshold, might cause permanent damage.

You can view system voltages and status on the Monitoring | System Status | Power screen.

Table 3-1 Recommended Power Thresholds

Thresholds MonitorMinimum-Maximum Range (in Centivolts) Tolerance

1.9V CPU 180-201 cV ±10 cV

2.5V CPU 241-260 cV ±10 cV

3.3V power supply 321-389 cV ±10% cV (+ 25 cV if redundant power supply)

5.0V power supply 471-577 cV ±10% cV (+ 25 cV if redundant power supply)

3.3V board 314-346 cV ±5%

5.0V board 474 - 524 cV ±5%


78-15731-01


Figure 3-3 Configuration | Interfaces | Power screen (Model 3005)

Figure 3-4 Configuration | Interfaces | Power screen (Model 3015 through 3080)

Alarm ThresholdsThe fields show default values for alarm thresholds in centivolts, for example, 361 = 3.61 volts. Enter or edit these values as desired.

The hardware sets voltage thresholds in increments that might not match an entered value. The fields show the actual thresholds, and the values might differ from your entries.

CPUHigh and low thresholds for the voltage sensors on the CPU chip. The value is system dependent, either 2.5 or 1.9 volts.


78-15731-01


Power Supply A, BHigh and low thresholds for the 3.3- and 5-volt outputs from the power supplies. You can enter values for the second power supply on Models 3015–3080 even if it is not installed.

BoardHigh and low thresholds for the 3.3- and 5-volt sensors on the main circuit board.

Apply / CancelTo apply your settings to the system and include them in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Interfaces screen.


78-15731-01

Chapter 3 InterfacesConfiguration | Interfaces | Ethernet 1 2 3

Configuration | Interfaces | Ethernet 1 2 3This screen lets you configure parameters for the Ethernet interface you selected. It displays the current parameters, if any.

Configuring an Ethernet interface includes supplying an IP address, identifying it as a public interface, applying a traffic-management filter, setting speed and transmission mode, and configuring RIP and OSPF routing protocols.

To apply a custom filter, you must configure the filter first; see Configuration | Policy Management | Traffic Management.

Caution If you modify any parameters of the interface that you are currently using to connect to the VPN Concentrator, you will break the connection, and you will have to restart the Manager from the login screen.

Using the TabsThis screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel.


78-15731-01

Chapter 3 InterfacesGeneral Parameters Tab

General Parameters TabThis tab lets you configure general interface parameters: DHCP client, IP address, subnet mask, public interface status, filter, speed, transmission mode, maximum transmission unit, and IPSec fragmentation policy.

Figure 3-5 Configuration | Interfaces | Ethernet 1 2 3 Screen, General Tab

Disabled

To make the interface offline, click Disabled. This state lets you retain or change its configuration parameters

If the interface is configured but disabled (offline), the appropriate Ethernet Link Status LED blinks green on the VPN Concentrator front panel.

DHCP Client

Check the DHCP Client check box if you want to obtain the IP address, the subnet mask, and the default gateway for this interface via DHCP. If you check this box, do not make entries in the IP address and subnet mask fields that follow.


78-15731-01


Note Because some Internet service providers require that the host name be specified in DHCP requests, you might have to specify the system name when running the DHCP Client on the VPN Concentrator public interface. (Specify the system name on the Configuration | System | General | Identification screen.) The VPN Concentrator uses the system name as the host name in DHCP requests.

Static IP Addressing

IP Address

If you want to set a static IP address for this interface, enter the IP address here, using dotted decimal notation (for example, 192.168.12.34). Note that 0.0.0.0 is not allowed. Be sure no other device is using this address on the network.

Subnet Mask

Enter the subnet mask for this interface, using dotted decimal notation (for example, 255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed.

Public Interface

To make this interface a public interface, check the Public Interface check box. A public interface is an interface to a public network, such as the Internet. You must configure a public interface before you can configure NAT and IPSec LAN-to-LAN, for example. You should designate only one VPN Concentrator interface as a public interface.

MAC Address

This is the unique hardware MAC (Medium Access Control) address for this interface, displayed in six byte hexadecimal notation. You cannot change this address.


78-15731-01


Filter

The filter governs the handling of data packets through this interface: whether to forward or drop, in accordance with configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Configuration | Policy Management | Traffic Management screens.

Click the drop-down menu button and choose the filter to apply to this interface:

• 1. Private (Default) = Allow all packets except source-routed IP packets. Cisco supplies this default filter for Ethernet 1, but it is not selected by default.

• 2. Public (Default) = Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. Cisco supplies this default filter for Ethernet 2, and it is selected by default for Ethernet 2.

• 3. External (Default) = No rules applied to this filter. Drop all packets. Cisco supplies this default filter for Ethernet 3, but it is not selected by default.

• –None– = No filter applied to the interface, which means there are no restrictions on data packets. This is the default selection for Ethernet 1 and 3.

Other filters that you have configured also appear in this menu.

Speed

Click the Speed drop-down menu button and choose the interface speed:

• 10 Mbps = Fix the speed at 10 megabits per second (10Base-T networks).

• 100 Mbps = Fix the speed at 100 megabits per second (100Base-T networks).

• 10/100 auto = Let the VPN Concentrator automatically detect and set the appropriate speed, either 10 or 100 Mbps (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the speed. Otherwise, choose the appropriate fixed speed.

Duplex

Click the Duplex drop-down menu button and choose the interface transmission mode:

• Auto = Let the VPN Concentrator automatically detect and set the appropriate transmission mode, either full or half duplex (default). Be sure that the port on the active network device (hub, switch, router, etc.) to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, choose the appropriate fixed mode.

• Full-Duplex = Fix the transmission mode as full duplex: transmission in both directions at the same time.

• Half-Duplex = Fix the transmission mode as half duplex: transmission in only one direction at a time.


78-15731-01


MTU

The MTU value specifies the maximum transmission unit (packet size) in bytes for the interface. Valid values range from 68 through 1500. The default value, 1500, is the MTU for IP.

Change this value only on an interface that terminates a VPN tunnel, typically a public or external interface.

Change this value only when the VPN Concentrator is dropping large packets because of the additional 8 bytes that a PPPoE header adds, or when other intermediate devices drop large, fragmentable packets without issuing an ICMP message. In such these cases, determine the largest packet size that can pass without being dropped, and set the MTU to that value. The object is to reduce overhead on the system by sending packets that are as large as possible, but that are not so large as to require fragmentation and reassembly.

A good way to find out the largest packet size that can be passed is to use the PING utility as follows:

ping -f -l <frame size in bytes> <destination IP address>, where

f = do not fragment

l = packet length.

For example: ping -f -l 1400 10.10.32.4

Note The value you use when pinging does not include IP, ICMP, or Ethernet headers, which total 42 bytes. You need to include these 42 bytes when you set the MTU value for the interface.

If the interface is receiving large packets that require fragmentation, and the DF (Don’t Fragment) bit is set, use the third option in the IPSec Fragmentation Policy field below. You can find out if the DF bit is set by using a traffic analyzer, or you may receive this ICMP message: “Fragmentation required but the DF bit is set.”

Note Changing the MTU or the fragmentation option on any interface tears down all existing connections. For example, if 100 active tunnels terminate on the public interface, and you change the MTU or the fragmentation option on the external interface, all of the active tunnels on the public interface are dropped.


78-15731-01


IPSec Fragmentation

The IPSec fragmentation policy specifies how to treat packets that exceed the MTU setting when tunneling traffic through the public interface. This feature provides a way to handle cases where a router or NAT device between the VPN Concentrator and the client rejects or drops IP fragments. For example, suppose a client wants to FTP get from an FTP server behind a VPN Concentrator. The FTP server transmits packets that when encapsulated would exceed the VPN Concentrator’s MTU size on the public interface. The following options determine how the VPN Concentrator processes these packets.

The fragmentation policy you set here applies to all traffic travelling out the VPN Concentrator public interface to clients running version 3.6 or later software. The second and third options described below may affect performance.

Note Clients running software versions earlier than 3.6 or L2TP over IPSec clients can use only the first option, “Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission.”

The setting you configure applies to 3.6 and later clients only. The VPN Concentrator ignores the setting for clients running software versions earlier than 3.6 and protocols other than IPSec. For these clients the first option applies: “Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission.”

Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission

The VPN Concentrator encapsulates all tunneled packets. After encapsulation, the VPN Concentrator fragments packets that exceed the MTU setting before transmitting them through the public interface. This is the default policy for the VPN Concentrator. This option works for situations where fragmented packets are allowed through the tunnel without hindrance. For the FTP example, large packets are encapsulated and then fragmented at the IP layer. Intermediate devices may drop fragments or just out-of-order fragments. Load-balancing devices can introduce out-of-order fragments.

Fragment prior to IPSec encapsulation with Path MTU Discovery (ICMP)

The VPN Concentrator fragments tunneled packets that would exceed the MTU setting during encapsulation. For this option, the VPN Concentrator drops large packets that have the Don’t Fragment (DF) bit set, and sends an ICMP message “Packet needs to be fragmented but DF is set” to the packet’s initiator. The ICMP message includes the maximum MTU size allowed. Path MTU Discovery means that an intermediate device (in this case the VPN Concentrator) informs the source of the MTU permitted to reach the destination.

If a large packet does not have the DF bit set, the VPN Concentrator fragments prior to encapsulating thus creating two independent non-fragmented IP packets and transmits them out the public interface. This is the default policy for the VPN 3002 hardware client.

For this example, the FTP server may use Path MTU Discovery to adjust the size of the packets it transmits to this destination.

Fragment prior to IPSec encapsulation without Path MTU Discovery (Clear DF bit)

The VPN Concentrator fragments tunneled packets that exceed the MTU setting before encapsulating them. If the DF bit on these packets is set, the VPN Concentrator clears the DF bit, fragments the packets, and then encapsulates them. This action creates two independent non-fragmented IP packets leaving the public interface and successfully transmits these packets to the peer site by turning the fragments into complete packets to be reassembled at the peer site. In our example, the VPN Concentrator overrides the MTU and allows fragmentation by clearing the DF bit.


78-15731-01

Chapter 3 InterfacesRIP Parameters Tab

RIP Parameters TabRIP is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. RIP uses distance-vector routing algorithms, and it is an older protocol that generates more network traffic than OSPF. The VPN Concentrator includes IP routing functions that support RIP versions 1 and 2. Many private networks with simple topologies still use RIPv1, although it lacks security features. RIPv2 is generally considered the preferred version; it includes functions for authenticating other routers, for example.

To use the Network Autodiscovery feature in IPSec LAN-to-LAN configuration, or to use the automatic list generation feature in Network Lists, you must enable Inbound RIPv2/v1 on Ethernet 1. (It is enabled by default.)

Figure 3-6 Configuration | Interfaces | Ethernet 1 2 3 screen, RIP Tab

Inbound RIP

This parameter applies to RIP messages coming into the VPN Concentrator. It configures the system to listen for RIP messages on this interface.

Click the Inbound RIP drop-down menu button and choose the inbound RIP function:

• Disabled = No inbound RIP functions. The system does not listen for any RIP messages on this interface (default for Ethernet 2 and 3).

• RIPv1 Only = Listen for and interpret only RIPv1 messages on this interface.

• RIPv2 Only = Listen for and interpret only RIPv2 messages on this interface.

• RIPv2/v1 = Listen for and interpret either RIPv1 or RIPv2 messages on this interface (default for Ethernet 1).


78-15731-01

Chapter 3 InterfacesRIP Parameters Tab

Outbound RIP

This parameter applies to RIP messages going out of the VPN Concentrator; that is, it configures the system to send RIP messages on this interface.

Click the Outbound RIP drop-down menu button and choose the outbound RIP function:

• Disabled = No outbound RIP functions. The system does not send any RIP messages on this interface (default).

• RIPv1 Only = Send only RIPv1 messages on this interface.

• RIPv2 Only = Send only RIPv2 messages on this interface.

• RIPv2/v1 compatible = Send RIPv2 messages that are compatible with RIPv1 on this interface.


78-15731-01

Chapter 3 InterfacesOSPF Parameters Tab

OSPF Parameters TabOSPF is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. OSPF uses link-state routing algorithms, and it is a newer protocol than RIP. It generates less network traffic and generally provides faster routing updates, but it requires more processing power than RIP. The VPN Concentrator includes IP routing functions that support OSPF version 2 (RFC 2328).

OSPF involves interface-specific parameters that you configure here, and system-wide parameters that you configure on the Configuration | System | IP Routing screens.

Figure 3-7 Configuration | Interfaces | Ethernet 1 2 3 Screen, OSPF Tab

OSPF Enabled

To enable OSPF routing on this interface, check the OSPF Enabled check box. (By default it is unchecked.)

To activate the OSPF system, you must also configure and enable OSPF on the Configuration | System | IP Routing | OSPF screen.


78-15731-01


OSPF Area ID

The area ID identifies the subnet area within the OSPF Autonomous System or domain. Routers within an area have identical link-state databases. While its format is that of a dotted decimal IP address, the ID is only an identifier and not an address.

The 0.0.0.0 area ID identifies a special area, the backbone, that contains all area border routers, which are the routers connected to multiple areas.

Enter the area ID in the field, using IP address format in dotted decimal notation (for example, 10.10.0.0). The default entry is 0.0.0.0, the backbone. Your entry also appears in the OSPF Area list on the Configuration | System | IP Routing | OSPF Areas screen.

OSPF Priority

This entry assigns a priority to the OSPF router on this interface. OSPF routers on a network elect one to be the Designated Router, which has the master routing database and performs other administrative functions. In case of a tie, the router with the highest priority number wins. A 0 entry means this router is ineligible to become the Designated Router.

Enter the priority as a number from 0 to 255. The default is 1.

OSPF Metric

This entry is the metric, or cost, of the OSPF router on this interface. The cost determines preferred routing through the network, with the lowest cost being the most desirable.

Enter the metric as a number from 1 to 65535. The default is 1.

OSPF Retransmit Interval

This entry is the number of seconds between OSPF Link State Advertisements (LSAs) from this interface, which are messages that the router sends to describe its current state.

Enter the interval as a number from 0 to 3600 seconds. The default is 5 seconds, which is a typical value for LANs.

OSPF Hello Interval

This entry is the number of seconds between Hello packets that the router sends to announce its presence, join the OSPF routing area, and maintain neighbor relationships. This interval must be the same for all routers on a common network.


OSPF Dead Interval

This entry is the number of seconds for the OSPF router to wait before it declares that a neighboring router is out of service, after the router no longer sees the neighbor’s Hello packets. This interval should be some multiple of the Hello Interval, and it must be the same for all routers on a common network.



78-15731-01


OSPF Transit Delay

This entry is the estimated number of seconds it takes to transmit a link state update packet over this interface, and it should include both the transmission and propagation delays of the interface. This delay must be the same for all routers on a common network.

Enter the delay as a number from 0 to 3600 seconds. The default is 1 second, which is a typical value for LANs.

OSPF Authentication

This parameter sets the authentication method for OSPF protocol messages. OSPF messages can be authenticated so that only trusted routers can route messages within the domain. This authentication method must be the same for all routers on a common network.

Click the OSPF Authentication drop-down menu button and choose the authentication method:

• None = No authentication. OSPF messages are not authenticated (default).

• Simple Password = Use a clear-text password for authentication. This password must be the same for all routers on a common network. If you choose this method, enter the password in the OSPF Password field that follows.

• MD5 = Use the MD5 hashing algorithm with a shared key to generate an encrypted message digest for authentication. This key must be the same for all routers on a common network. If you choose this method, enter the key in the OSPF Password field that follows.

OSPF Password

If you chose Simple Password or MD5 for OSPF Authentication, enter the appropriate password or key in this field. Otherwise, leave the field blank.

• For Simple Password authentication, enter the common password. The maximum password length is 8 characters. The Manager displays your entry in clear text.

• For MD5 authentication, enter the shared key. The maximum shared key length is 8 characters. The Manager displays your entry in clear text.

Apply / CancelTo apply your settings to this interface and include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen.


78-15731-01

Chapter 3 InterfacesBandwidth Parameters Tab

Bandwidth Parameters TabThe Bandwidth Parameters Tab lets you enable bandwidth management on the selected interface, define the link rate for the interface and assign a bandwidth management policy to be used on the interface. Before you do these steps, you must have already created a bandwidth management policy. To create a bandwidth management policy, use the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add screen.

For detailed information on the Bandwidth Management feature, see the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify section.

Figure 3-8 Configuration | Interfaces | Ethernet 1 2 3 Screen, Bandwidth Tab

Bandwidth Management

To enable bandwidth management on this interface, check the Bandwidth Management check box.

Link Rate

The link rate is the speed of the network connection through the Internet.

Note The defined link rate is the available Internet bandwidth, not the physical LAN connection rate. If the router in front of the VPN Concentrator has a T1 connection to the Internet, set the link rate to 1544 kbps.

Enter a value for the speed of the network connection for this interface, and select a unit of measurement.

• bps—bits per second

• kbps—one thousand bits per second


78-15731-01

Chapter 3 InterfacesBandwidth Parameters Tab

• Mbps—one million bits per second

The default link rate is 1544 kbps.


78-15731-01

Chapter 3 InterfacesWebVPN Parameters Tab

Bandwidth Policy

Select a policy from the drop-down list. If there are no policies in this list, you must go to Configuration | Policy Management | Traffic Management | Bandwidth Policies and define one or more policies.

The policy you apply here is a default bandwidth policy for all users on this interface. This policy is applied to users who do not have a bandwidth management policy applied to their group.

Apply/Cancel

To apply this change to the configuration, click Apply. To cancel the action, click Cancel.

Reminder:



WebVPN Parameters TabThis screen lets you configure interface-specific parameters for WebVPN. On any interface, you can configure these features either singly or in combination. To use the following features on an interface, you must enable them here:

• WebVPN (HTTPS) connections.

• POP3S, IMAP4S, and SMTPS for e-mail proxy sessions.

• HTTPS Management sessions.

Note To define e-mail servers, ports, and protocols for e-mail proxy support, go to Configuration | Tunneling and Security | WebVPN | E-Mail. For guidance on configuring user e-mail accounts, see Appendix B, “Configuring WebVPN,” and Appendix C, “WebVPN End User Set-up.”


78-15731-01


Figure 3-9 Configuration | Interfaces | Ethernet 1 2 3 Screen, WebVPN Tab

Allow Management HTTPS sessionsTo enable a user on this interface to manage HTTPS sessions, check this box, which is the default. Disabling HTTPS on the interface you are using to manage the Concentrator ends (abruptly) the management session and displays a warning message.

Figure 3-10 HTTPS Error Message Screen


78-15731-01


Allow WebVPN HTTPS sessionTo enable a WebVPN session on this interface, check this box, which is the default. When this parameter is enabled the VPN Concentrator Login screen includes a WebVPN Login link.

By default, HTTPS traffic enters the VPN Concentrator through port 443. To change the port or edit other HTTPS parameters, go to Configuration | Tunneling and Security | SSL | HTTPS.

Redirect to HTTP to HTTPSCheck to force any incoming HTTP connections to be redirected to HTTPS. When checked, HTTP connections are no longer permitted on the interface.

Allow POP3S sessionsTo enable e-mail programs that use the POP3S protocol to run on this interface using the e-mail proxy feature, check this box. By default the box is unchecked. Also by default, POP3S traffic enters the VPN Concentrator through port 995. To change the port or edit other e-mail parameters, go to Configuration | Tunneling and Security | WebVPN | E-Mail.

Allow IMAP4S sessionsTo enable e-mail programs that use the IMAP4S protocol to run on this interface using the e-mail proxy feature, check this box. By default the box is unchecked. Also by default, IMAP4S traffic enters the VPN Concentrator through port 993. To change the port or edit other e-mail parameters, go to Configuration | Tunneling and Security | WebVPN | E-Mail.

Allow SMTPS sessionsTo enable e-mail programs that use the SMTPS protocol to run on this interface using the e-mail proxy feature, check this box. By default the box is unchecked. Also by default, SMTPS traffic enters the VPN Concentrator through port 988. To change the port or edit other e-mail parameters, go to Configuration | Tunneling and Security | WebVPN | E-Mail.

Apply/Cancel

To apply changes to the configuration, click Apply. To cancel the action, click Cancel.

Reminder:




78-15731-01

C


H A P T E R 4
System Configuration
System configuration means configuring parameters for system-wide functions in the VPN Concentrator.

Configuration | System

Step 1 In the Configuration screen, click the System link. The System screen opens.

Figure 4-1 Configuration | System Screen


Chapter 4 System ConfigurationConfiguration | System

This section of the Manager lets you configure parameters for VPN Concentrator system-wide functions.

• Servers: Identifying servers for authentication, authorization, accounting, DNS, DHCP, firewall, and NTP.

• Address Management: Assigning addresses to clients as a tunnel is established.

• IP Routing: Configuring static routes, default gateways, OSPF, global DHCP, DHCP Relay, redundancy (VRRP), and Reverse Route Injection (RRI).

• Management Protocols: Configuring and enabling built-in servers for FTP, HTTP/HTTPS, TFTP, Telnet, SNMP, SSL, SSH, and XML.

• Events: Handling system events via logs, FTP backup, SNMP traps, syslog, SMTP, and e-mail.

• General: Identifying the system, setting the time and date, changing the maximum session limit, and configuring global authentication parameters.

• Client Update: Automatically updates client software.

• Load Balancing: Configuring virtual clusters and individual devices within virtual clusters.

See the appropriate chapter in this manual or the online help for each section.


78-15731-01

C


H A P T E R 5
Servers
Configuring servers means identifying them to the VPN 3000 Concentrator so it can communicate with them correctly. These servers provide user authentication, authorization, and accounting functions, convert host names to IP addresses, assign client IP addresses, and synchronize the system with network time. The VPN Concentrator functions as a client of these servers.

Configuration | System | ServersThis section of the Manager lets you configure the VPN Concentrator to communicate with servers for various functions.

• Authentication Servers: User authentication.

• Authorization Servers: User authorization.

• Accounting Servers: RADIUS user accounting.

• DNS Servers: Domain Name System.

• DHCP Servers: Dynamic Host Configuration Protocol.

• Firewall Servers: Firewall enforcement by means of the Zone Labs Integrity Server.

• NTP Servers: Network Time Protocol.

You can also configure the VPN Concentrator internal authentication server here if you have not already done so during Quick Configuration.


Chapter 5 ServersConfiguration | System | Servers

Figure 5-1 Configuration | System | Servers Screen


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authentication

Configuration | System | Servers | AuthenticationThis section lets you configure the VPN Concentrator internal server and external RADIUS, NT Domain, and SDI servers for authenticating users. To create and use a VPN, you must configure at least one authentication server type; there must be at least one method of authenticating users.

You configure authentication servers here for the following:

• If you check Use Address from Authentication Server on the Configuration | System | Address Management | Assignment screen, you must configure an authentication server here.

• To correspond to the settings for Authentication method on the IPSec Parameters tab on the Configuration | User Management | Base Group screens. For example, if you specify RADIUS authentication under IPSec for the base group, you must configure at least one RADIUS authentication server here. In this example, the first RADIUS server is considered the primary server, the second RADIUS server is backup, and so on; any other server types are ignored.

• For WebVPN users, configure an authentication server(s) here. Even for WebVPN users assigned to a group, you configure authentication servers for WebVPN globally rather than in the Groups screens. WebVPN users authenticate according to the first active server, independent of type. The VPN Concentrator does not support multiple authentication types for WebVPN users.

Note WebVPN users that authenticate with certificates use an authorization server, not an authentication server, although the same server can serve as both an authentication and authorization server. See Configuration | System | Servers | Authorization for more information.

Before you configure an external server here, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers.

The VPN 3000 software CD-ROM includes a link that customers with CCO logins can use to access an evaluation copy of the CiscoSecure ACS RADIUS authentication server. The VPN 3000 software CD-ROM also has current VPN 3000 VSA registry files that let customers load new supported attributes on their ACS server, and provides instructions for using them.

After you have configured an external authentication server, you can also test it. Testing sends a username and password to the server to determine that the VPN Concentrator is communicating properly with it, and that the server properly authenticates valid users and rejects invalid users.

If you configure the internal authentication server, you can add users to the internal database by clicking the highlighted link, which takes you to the Configuration | User Management | Users screen. To configure the internal server, you add at least one user or group to the internal database.

If you configure IPSec on the Quick Configuration | Protocols screen, the VPN Concentrator automatically configures the internal authentication server. The internal server is also the default selection on the Quick Configuration | Authentication screen.

You can configure and prioritize up to 10 authentication servers here. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative. After you configure authentication server(s), you assign them to groups and users; see Chapter 13, “User Management,” for information about configuring groups and users to use authentication servers.

Different Handling: PPTP Clients and Cisco VPN Clients

The VPN Concentrator handles authentication differently for PPTP clients and the Cisco VPN Client.


78-15731-01


• For PPTP Clients: The VPN Concentrator authenticates the user first. If the user uses the RADIUS Server for authentication and the RADIUS server returns a group name in the Class attribute (#25), then the VPN Concentrator authenticates the group. The VPN Concentrator can authenticate the group either through the Internal database (Internal Authentication Server) or RADIUS (External Authentication Server).

• For the Cisco VPN Client: The VPN Concentrator authenticates the group first, either through the Internal Group database (Internal) or RADIUS (External). The VPN Concentrator then authenticates the user through the method selected in the group attributes for that user under the attribute Authentication Type (that is, RADIUS, SDI, Internal, etc.).

Figure 5-2 Configuration | System | Servers | Authentication Screen

Authentication ServersThe Authentication Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup.

Add / Modify / Delete / Move / Test To configure a new user-authentication server, click Add. The Manager opens the Configuration | System | Servers | Authentication | Add screen.

To modify a configured user authentication server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | Authentication | Modify screen. The internal server has no configurable parameters, therefore there is no Modify screen. If you select the internal server and click Modify, the Manager displays an error message.

To remove a configured user authentication server, select the server from the list and click Delete.

Note There is no confirmation or undo, except for the Internal Server (see the Configuration | System | Servers | Authentication | Delete screen).


78-15731-01


The Manager refreshes the screen and shows the remaining entries in the Authentication Servers list.


78-15731-01


Note If you delete a server, users authenticated by that server will no longer be able to access the VPN unless another configured server can authenticate them.

To change the priority order for configured servers, select the entry from the list and click Move [Up Arrow] or Move [Down Arrow]. The Manager refreshes the screen and shows the reordered Authentication Servers list.

To test a configured external user authentication server, select the server from the list and click Test. The Manager opens the Configuration | System | Servers | Authentication | Test screen. There is no need to test the internal server, and trying to do so returns an error message.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authentication | Add or Modify

Configuration | System | Servers | Authentication | Add or ModifyThese screens let you:

• Add: Configure and add a new user authentication server.

• Modify: Modify parameters for a configured user authentication server.

Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. Choices are:

• RADIUS = An external Remote Authentication Dial-In User Service server (default).

• NT Domain = An external Windows NT Domain server.

• SDI = An external RSA Security Inc. SecurID server.

• Kerberos/Active Directory = An external Windows/Active Directory server or a UNIX/Linux Kerberos server.

• Internal Server = The internal VPN Concentrator authentication server. With this server, you can configure a maximum of 100 groups and users (combined) in the internal database. See Configuration | User Management for details.

Find your selected server type:

Server Type = RADIUSConfigure these parameters for a RADIUS (Remote Authentication Dial-In User Service) authentication server.

Note Certain RADIUS servers can send large packets. The VPN Concentrator supports packets up to 4096 bytes. It ignores packets larger than that.

RADIUS Authentication Information Specific to PPTP

Most RADIUS servers do not support MSCHAP Version 1 or 2 user authentication. If you plan to use a RADIUS server that does not support MSCHAP, you must configure the base group’s PPTP Authentication Protocols to PAP and/or CHAP only. By doing this, you have no data encryption and possibly no password encryption.

CiscoSecure ACS for Windows Release 2.5 and higher supports MSCHAP V.1.

To use encryption with PPTP, your RADIUS server must support MSCHAP authentication and the return attribute MSCHAP-MPPE-Keys. Some examples of RADIUS servers that support MSCHAP-MPPE-Keys are:

• Funk Software’s Steel-Belted RADIUS (MSCHAP V1 only)

• Microsoft’s Internet Authentication Server, which comes with the NT 4.0 Server Options Pack

• Microsoft’s Commercial Internet System (MCIS 2.0)

• Internet Authentication Server in Windows 2000 Server


78-15731-01


Figure 5-3 Configuration | System | Servers | Authentication | Add or Modify RADIUS Screen

Authentication Server

Enter the IP address or host name of the RADIUS authentication server, for example: 192.168.12.34. The maximum number of characters is 32. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

Server Port

Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 1645.

Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.

Timeout

Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.

Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.


78-15731-01


Server Secret

Enter the RADIUS server secret (also called the shared secret), for example: C8z077f. The maximum field length is 64 characters. The field shows only asterisks.

Verify

Re-enter the RADIUS server secret to verify it. The field shows only asterisks.

Add or Apply / Cancel

To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.

Server Type = NT DomainConfigure these parameters for a Windows NT Domain authentication server.

Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.

Figure 5-4 Configuration | System | Servers | Authentication | Add or Modify NT Domain Screen


78-15731-01


Authentication Server Address

Enter the IP address of the NT Domain authentication server, for example: 192.168.12.34. Use dotted decimal notation.

Server Port

Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 139.

Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next NT Domain authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Domain Controller Name

Enter the NT Primary Domain Controller host name for this server, for example: PDC01. The maximum host name length is 16 characters. You must enter this name, and it must be the correct host name for the server for which you entered the IP address in Authentication Server Address; if it is incorrect, authentication will fail.



Reminder:




78-15731-01


Server Type = SDIConfigure these parameters for an RSA Security Inc. SecurID authentication server.

VPN Concentrator software version 3.6 supports both version 5.0 and versions prior to SDI 5.0.

SDI Version pre-5.0

SDI versions prior to 5.0 use the concept of an SDI master and an SDI slave server which share a single node secret file (SECURID). On the VPN Concentrator you can configure one pre-5.0 SDI master server and one SDI slave server globally, and one SDI master and one SDI slave server per each group.

SDI Version 5.0

SDI version 5.0 uses the concepts of an SDI primary and SDI replica servers. A primary and its replicas share a single node secret file. On the VPN Concentrator you can configure one SDI 5.0 server globally, and one per each group.

A version 5.0 SDI server that you configure on the VPN Concentrator can be either the primary or any one of the replicas. See the section below, “SDI Primary and Replica Servers” for information about how the SDI agent selects servers to authenticate users.

You can have one SDI primary server, and up to 10 replicas; use the SDI documentation for configuration instructions. The primary and all the replicas can authenticate users. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended. SDI servers that you configure here apply globally. You can also configure SDI servers on a group basis (see Configuration| User Management | Groups, and click Add/Modify Auth Servers.

Two-step Authentication Process

SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two VPN Concentrators using the same authentication servers simultaneously. After a successful username lock, the VPN Concentrator sends the passcode.

SDI Primary and Replica Servers

The VPN Concentrator obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The VPN Concentrator then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected.


78-15731-01


Figure 5-5 Configuration | System | Servers | Authentication | Add or Modify SDI Screen


Enter the IP address or host name of the SDI authentication server, for example: 192.168.12.34. The maximum host name length is 32 characters. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

SDI Server Version

Use the drop-down menu to select the SDI server version you are using, pre-5.0 or 5.0.

Server Port


Timeout

Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum value is 1 second. The default value is 4 seconds. The maximum value is 30 seconds.

Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next SDI authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number is 10.


78-15731-01




Reminder:



Server Type = Kerberos/Active DirectoryConfigure these parameters for a Kerberos/Active Directory server.

The VPN Concentrator supports 3DES, DES, and RC4 encryption types.

Note The VPN Concentrator does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the VPN Concentrator.

If you are configuring authentication to a Linux machine acting as a Kerberos server, check the available keys for the users you want to authenticate. The following key must be available: DES cbc mode with RSA-MD5, Version 5.

For example, if you are configuring authentication to a Red Hat Linux 7.3 server running Kerberos, check the available keys by completing the following steps:

Step 1 Enter the following command, where username is the name of the user you want to authenticate:

kadmin.local -q “getprinc username”

Step 2 If “DES cbc mode with RSA-MD5, Version 5” is not available for that user, edit the file kdc.conf. Add or move “des-cbc-md5” selections to the beginning of the “supported_enctypes =” line:

[realms]MYCOMPANY.COM = {master_key_type = des-cbc-crcsupported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm

Step 3 Save the file.

Step 4 Restart the krb5kdc, kadmin, and krb524 services.

Step 5 Change the password for the user to create the “DES cbc mode with RSA-MD5” key:

kadmin.local -q “cpw -pw newpassword username”

Now you should be able to authenticate that user to your Linux/Unix Kerberos 5 server.


78-15731-01


Figure 5-6 Configuration | System | Servers | Authentication | Add or Modify

Kerberos/Active Directory Screen


Enter the IP address or hostname of the Kerberos/Active Directory authentication server, for example: 192.168.12.34. Use dotted decimal notation.

Server Port


Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next Kerberos/Active Directory authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Realm

Enter the realm name for this server, for example: USDOMAIN.ACME.COM. The maximum length is 64 characters.

The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows .NET. If the letters are not uppercase, authentication fails.

You must enter this name, and it must be the correct realm name for the server for which you entered the IP address in Authentication Server. If it is incorrect, authentication will fail.


78-15731-01




Reminder:



Server Type = Internal ServerThe VPN Concentrator internal authentication server lets you enter a maximum of 100 groups and users (combined) in its database. To do so, see the Configuration | User Management screens, or click the highlighted link on the Configuration | System | Servers | Authentication screen.

The internal server has no configurable parameters, therefore there is no Modify screen. If you select the internal server and click Modify on the Configuration | System | Servers | Authentication screen, the Manager displays an error message.

You can configure only one instance of the internal server.

Figure 5-7 Configuration | System | Servers | Authentication | Add Internal Server Screen

Add / Cancel

To add the internal server to the list of configured user authentication servers, and to include the entry in the active configuration, click Add. The Manager returns to the Configuration | System | Servers | Authentication screen. The new server appears at the bottom of the Authentication Servers list.

Reminder:


To discard your entry, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authentication | Delete

Configuration | System | Servers | Authentication | Delete This screen asks you to confirm your decision to delete the internal authentication server. Deleting it prevents IPSec LAN-to-LAN connections, since they depend on internally configured groups for IPSec SA negotiations. Deleting it also prevents connections by all users that are configured in the internal user database.

Note We strongly recommend that you not delete the internal authentication server.

Figure 5-8 Configuration | System | Servers | Authentication | Delete Screen

Yes / NoTo delete the internal authentication server, click Yes.

Note There is no undo.

The Manager returns to the Configuration | System | Servers | Authentication screen and shows the remaining entries in the Authentication Servers list.

To not delete the internal authentication server, click No. The Manager returns to the Configuration | System | Servers | Authentication screen, and the Authentication Servers list is unchanged.

Reminder:



78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authentication | Test

Configuration | System | Servers | Authentication | TestThis screen lets you test a configured external user authentication server to determine that:

• The VPN Concentrator is communicating properly with the authentication server.

• The server correctly authenticates a valid user.

• The server correctly rejects an invalid user.

Figure 5-9 Configuration | System | Servers | Authentication | Test Screen

UsernameTo test connectivity and valid authentication, enter the username for a valid user who has been configured on the authentication server. The maximum username length is 32 characters. Entries are case-sensitive.

To test connectivity and authentication rejection, enter a username that is invalid on the authentication server.

PasswordEnter the password for the username. Maximum 32 characters, case-sensitive. The field displays only asterisks.

OK / CancelTo send the username and password to the chosen authentication server, click OK. The authentication and response process takes a few seconds. The Manager displays a Success or Error screen.

To cancel the test and discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authentication screen.


78-15731-01


Authentication Server Test: SuccessIf the VPN Concentrator communicates correctly with the authentication server, and the server correctly authenticates a valid user, the Manager displays a Success screen.

Figure 5-10 Authentication Server Test: Success Screen

Continue

To return to the Configuration | System | Servers | Authentication | Test screen, click Continue. You can then test authentication for another username.

To return to the Configuration | System | Servers | Authentication screen, or any other screen, click the desired title in the left frame (Manager table of contents).

Authentication Server Test: Authentication Rejected ErrorIf the VPN Concentrator communicates correctly with the authentication server, and the server correctly rejects an invalid user, the Manager displays an Authentication Rejected Error screen.

Figure 5-11 Authentication Server Test: Authentication Rejected Error Screen

To return to the Configuration | System | Servers | Authentication | Test screen, click Retry the operation.

To go to the main VPN Concentrator Manager screen, click Go to main menu.


78-15731-01


Authentication Server Test: Authentication ErrorIf the VPN Concentrator cannot communicate with the authentication server, the Manager displays an Authentication Error screen. Error messages include:

• No response from server = There is no response from the selected server within the configured timeout and retry periods.

• No active server found = The VPN Concentrator cannot find an active, configured server to test.

The server might be improperly configured or out of service, the network might be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.

Figure 5-12 Authentication Server Test: Authentication Error Screen

To return to the Configuration | System | Servers | Authentication | Test screen, click Retry the operation.



78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authorization

Configuration | System | Servers | Authorization This screen lets you configure the VPN Concentrator to use external RADIUS or LDAP servers for authorizing users. User authorization provides the VPN Concentrator with information about each user’s permissions and other attributes (such as the user’s access hours, primary DNS, or banner). Using an external server for authorization gives you centralized control of user permissions. It is also helpful if you are managing large numbers of users.

Adding an external authorization server allows you to separate user authorization from user authentication, so that you can, for example, authenticate users with Kerberos and authorize them using LDAP. It also allows certificate users to receive permissions by means of LDAP or RADIUS without secondary authentication via XAUTH.

Note If you are already using RADIUS for authentication, you do not need to use RADIUS authorization on the same server. The RADIUS authentication server returns the user’s permissions as part of the authentication process.

You can configure user authorization on a global basis or a group basis. Configure it on a global basis if you want the server to be available to members of all groups for which authorization is enabled. Configure it on a group basis if you want members of a particular group to use a particular server. If you use internal groups, then any permissions and attributes returned by the authorization server take precedence over the attributes defined in the group.

Use this screen to configure global authentication servers. To configure authorization servers for a particular groups, see Configuration | User Management | Group | Authorization Servers.

You can configure and prioritize up to 10 authorization servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative.

Before you configure an external server here, be sure that the external server you reference is itself properly configured. (For information on how to configure your server, see Appendix A, “Configuring an External Server for VPN Concentrator User Authorization”)Be sure that you know how to access the server--for example, you should know the IP address or host name, TCP/UDP port, and secret/password. The VPN Concentrator functions as the client of these servers.

When you have added the server, enable user authorization on the Configuration | User Management | Base Group (or Group) IPSec tab.Configuring Authorization Servers for a VPN 3002 Hardware Client

Note The VPN Concentrator must communicate directly to the external authorization server for authorization to work correctly. You cannot proxy the LDAP authorization server via a RADIUS server. For example, you cannot use the Cisco Secure ACS RADIUS server to proxy user authorization LDAP requests to the external LDAP server.

Note The VPN Concentrator logs authorization requests and replies using AUTH and AUTHDBG event classes.

Caution As the authorization exchange is not encrypted or authenticated, place all authorization servers within the corporate network.


78-15731-01


Note For WebVPN users, configure the authorization server(s) here. The authorization servers you configure in this global screen apply for all WebVPN users, even those in a group,

Configuring Authorization Servers for IPSec, PPTP and L2TPClientsWhen you have added the server, enable user authorization on the Configuration | User Management | Base Group/Groups IPSec tab.

Configuring Authorization Servers for VPN 3002 Hardware ClientsIf you are authorizing a Cisco VPN 3002 Hardware Client, the VPN Concentrator authorizes the Hardware Client itself, not the hosts behind it. Therefore, a single set of permissions applies to all hosts or PCs on the Hardware Client’s LAN.

Configuring Authorization Servers for WebVPNFor WebVPN users, configure authorization server(s) here. The authorization servers you configure in this global screen apply for all WebVPN users, even those in a group. The VPN Concentrator does not support multiple authorization types for WebVPN users. It authorizes users according to the first configured server in the list, regardless of type.

You can configure and prioritize up to 10 authorization servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative.

WebVPN Users Authenticating with Digital Certificates

WebVPN users who authenticate using digital certificates use an authorization server to authenticate. You configure the authorization server in this screen. You configure the Authorization Type, Authorization Required, and DN Field parameters in the Configuration | User Management | Base Group/Groups IPSec tab.


78-15731-01


Figure 5-13 Configuration | System | Servers | Authorization Screen


78-15731-01


Authorization ServersThe Authorization Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup.

Add / Modify / Delete / Move / Test To configure a new user-authorization server, click Add. The Manager opens the Configuration | System | Servers | Authorization | Add screen.

To modify a configured user authorization server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | Authorization | Modify screen.

To remove a configured user authorization server, select the server from the list and click Delete. The Manager refreshes the screen and shows the remaining entries in the Authorization Servers list.

Note There is no confirmation or undo.

To change the priority order for configured servers, select the entry from the list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Authentication Servers list.

To test a configured user authorization server, select the server from the list and click Test. The Manager opens the Configuration | System | Servers | Authorization | Test screen.

Reminder:



78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authorization| Add or Modify

Configuration | System | Servers | Authorization| Add or ModifyThese screens let you:

• Add: Configure and add a new user authorization server.

• Modify: Modify parameters for a configured user authorization server.

Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. The choices are:

• RADIUS = Use an external RADIUS (Remote Authentication Dial-In User Service) server for user authorization.

• LDAP = Use an external LDAP (Lightweight Directory Access Protocol) server for user authorization.

Find your selected server type.

Server Type = RADIUSConfigure these parameters for a RADIUS authorization server.

Figure 5-14 Configuration | System | Servers | Authorization | Add or Modify RADIUS Screen

Authorization Server

Enter the IP address or host name of the RADIUS authorization server, for example: 192.168.12.34. The maximum number of characters is 32.


78-15731-01


Server Port



Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authorization server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.

Server Secret

Enter the server secret (also called the shared secret) for the RADIUS server, for example: C8z077f. The VPN Concentrator uses the server secret to authenticate to the RADIUS server.

The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server.

The maximum field length is 64 characters. The field shows only asterisks.

Verify


Common User Password

The RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this VPN Concentrator. Be sure to provide this information to your RADIUS server administrator.

Enter a common password for all users who are accessing this RADIUS authorization server through this VPN Concentrator.


78-15731-01


If you leave this field blank, each user’s password will be his or her own username. For example, a user with the username “jsmith” would enter “jsmith”. If you are using usernames for the Common User passwords, as a security precaution do not use this RADIUS server for authentication anywhere else on your network.

Note This field is essentially a space-filler. The RADIUS server expects and requires it, but does not use it. Users do not need to know it.

Verify

Re-enter the Common User Password to verify it. The field shows only asterisks.


To add the new server to the list of configured user authorization servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | Servers | Authorization screen. Any new server appears at the bottom of the Authorization Servers list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authorization screen, and the Authorization Servers list is unchanged.

Server Type = LDAPConfigure these parameters for an LDAP authorization server.


78-15731-01


Figure 5-15 Configuration | System | Servers | Authorization | Add or Modify LDAP Screen


Enter the IP address or hostname of the LDAP authorization server. Enter the IP address in dotted decimal notation, for example: 192.168.12.34.

Server Port


Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next LDAP authorization server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.


78-15731-01


Login DN

Some LDAP servers (including the Microsoft Active Directory server) require the VPN Concentrator to establish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The VPN Concentrator identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the VPN Concentrator’s authentication characteristics; these characteristics should correspond to those of a user with administration privileges.

Enter the name of the directory object for VPN Concentrator authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com. For anonymous access, leave this field blank.

Password

Enter the password for the Login DN.

Verify

Re-enter the Login DN password to verify it. The field shows only asterisks.

Base DN

Enter the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request. For example, OU=people, dc=cisco, dc=com.

Search Scope

Choose the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.

• One Level: Search only one level beneath the Base DN. This option is quicker.

• Subtree: Search all levels beneath the Base DN; in other words, search the entire subtree hierarchy. This option takes more time.

Naming Attributes

Enter the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).




78-15731-01


Reminder:




78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authorization | Test

Configuration | System | Servers | Authorization | TestThis screen lets you test a configured user authorization server to determine that:

• The VPN Concentrator is communicating properly with the authorization server.

• The server correctly authorizes a valid user.

• The server correctly rejects an authorization request for an invalid user.

Figure 5-16 Configuration | System | Servers | Authorization | Test Screen

UsernameTo test connectivity and valid authorization, enter the username for a valid user who has been configured on the authorization server. The maximum username length is 255 characters. Entries are case-sensitive.

To test connectivity and authorization rejection, enter a username that is invalid on the authorization server.

OK / CancelTo send the username and password to the chosen authorization server, click OK. The authorization and response process takes a few seconds. The Manager displays a Success or Error screen.

To cancel the test and discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Authorization screen.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Authorization | Test

Authorization Server Test: SuccessIf the VPN Concentrator communicates correctly with the authorization server, and the server correctly authorizes a valid user, the Manager displays a Success screen.

Figure 5-17 Authorization Server Test: Success Screen

Continue

To return to the Configuration | System | Servers | Authorization | Test screen, click Continue. You can then test authorization for another username.

To return to the Configuration | System | Servers | Authorization screen, or any other screen, click the desired title in the left frame (Manager table of contents).

Authorization Server Test: Authorization ErrorIf the VPN Concentrator cannot communicate with the authorization server, the Manager displays an Authorization Error screen. Error messages include:



The server might be improperly configured or out of service, or the network might be down or clogged. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.

Figure 5-18 Authorization Server Test: Authorization Error Screen

To return to the Configuration | System | Servers | Authorization | Test screen, click Retry the operation.



78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Accounting

Configuration | System | Servers | Accounting This section lets you configure external RADIUS user accounting servers, which collect data on user connect time, packets transmitted, etc., under the VPN tunneling protocols: PPTP, L2TP, and IPSec.

You can configure and prioritize up to ten accounting servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative.

Before you configure an accounting server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, UDP port, server secret, etc.). The VPN Concentrator functions as the client of these servers.

Figure 5-19 Configuration | System | Servers | Accounting Screen

The VPN Concentrator communicates with RADIUS accounting servers per RFC 2139 and currently includes the attributes in Table 5-1 in the accounting start and stop records. These attributes might change.

Table 5-1 RADIUS Accounting Record Attributes

Start Record Stop Record

Username Username

Acct Status Type Acct Status Type

Class Class

Service Type Service Type

Framed Protocol Framed Protocol

Framed IP Address Framed IP Address

NAS Port NAS Port

Acct Session ID Session Time

Tunnel Client Endpoint Address Input Octets

Authentic Output Octets

Delay Time Input Packets


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Accounting

Accounting ServersThe Accounting Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.

Add / Modify / Delete / MoveTo configure a new user accounting server, click Add. The Manager opens the Configuration | System | Servers | Accounting | Add screen.

To modify a configured user accounting server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | Accounting | Modify screen.

To remove a configured user authentication server, select the server from the list and click Delete.


The Manager refreshes the screen and shows the remaining entries in the Accounting Servers list.

To change the priority order for configured servers, select the entry from the list and click Move [Up Arrow] or Move [Down Arrow]. The Manager refreshes the screen and shows the reordered Accounting Servers list.

Reminder:


NAS IP Address Output Packets

NAS Port Type Terminate Cause

Tunnel Type Acct Session ID

Tunnel Client Endpoint Address

Authentic

Delay Time

NAS IP Address

NAS Port Type

Tunnel Type

Table 5-1 RADIUS Accounting Record Attributes (continued)

Start Record Stop Record


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Accounting | Add or Modify

Configuration | System | Servers | Accounting | Add or ModifyThese screens let you:

• Add: Configure and add a new RADIUS user accounting server.

• Modify: Modify parameters for a configured RADIUS user accounting server.

Figure 5-20 Configuration | System | Servers | Accounting | Add or Modify Screen

Accounting ServerEnter the IP address or host name of the RADIUS accounting server, for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

Server PortEnter the UDP port number by which you access the accounting server. The default is 1646.

Note The latest RFC states that RADIUS accounting servers should be on UDP port number 1813, so you might need to change this default value to 1813.

TimeoutEnter the time, in seconds, to wait after sending a query to the accounting server and receiving no response, before trying again. The minimum is time 1 second. The default time is 1 second. The maximum time is 30 seconds.

RetriesEnter the number of times to retry sending a query to the accounting server after the timeout period. If there is still no response after this number of retries, the system declares this server inoperative and uses the next accounting server in the list. The minimum number of retries is 0. The default number of retries is 3. The maximum number of retries is 10.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Accounting | Add or Modify

Server SecretEnter the server secret (also called the shared secret), for example: C8z077f. The field shows only asterisks.

VerifyRe-enter the server secret to verify it. The field shows only asterisks.

Add or Apply / CancelTo add this server to the list of configured user accounting servers, click Add. Or, to apply your changes to this user accounting server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Servers | Accounting screen. Any new server appears at the bottom of the Accounting Servers list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | Accounting screen, and the Accounting Servers list is unchanged.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | DNS

Configuration | System | Servers | DNS This screen lets you configure system-wide Domain Name System (DNS) servers. DNS servers convert domain names to IP addresses. Configuring DNS servers here lets you enter host names (for example, mail01.cisco.com) rather than IP addresses as you configure and manage the VPN Concentrator.

You can configure up to three DNS servers that the system queries in order.

These DNS servers apply to the VPN Concentrator and to all WebVPN users. VPN Clients and users behind VPN 3002 Hardware Clients get DNS information from the DNS servers you configure in the General tab of the Base Group or Groups screens.

Figure 5-21 Configuration | System | Servers | DNS Screen

EnabledTo use DNS functions, check the Enabled check box (the default). To disable DNS, uncheck the box.

DomainEnter the name of the registered domain in which the VPN Concentrator resides, for example: cisco.com. The maximum name length is 48 characters. This entry is sometimes called the domain name suffix or sub-domain. The DNS system within the VPN Concentrator automatically appends this domain name to host names before sending them to a DNS server for resolution.

Primary DNS ServerEnter the IP address of the primary DNS server, using dotted decimal notation, for example: 192.168.12.34. Be sure this entry is correct to avoid DNS resolution delays.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | DNS

Secondary DNS ServerEnter the IP address of the secondary (first backup) DNS server, using dotted decimal notation. If the primary DNS server does not respond to a query within the Timeout Period specified, the system queries this server.

Tertiary DNS ServerEnter the IP address of the tertiary (second backup) DNS server, using dotted decimal notation. If the secondary DNS server does not respond to a query within the Timeout Period specified, the system queries this server.

Timeout PeriodEnter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. The time doubles with each retry cycle through the list of servers.

Timeout RetriesEnter the number of times to retry sending a DNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Apply / CancelTo apply your settings for DNS servers and include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Servers screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | Servers screen.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | DHCP

Configuration | System | Servers | DHCP This section of the Manager lets you configure support for Dynamic Host Configuration Protocol (DHCP) servers that assign IP addresses to clients as a VPN tunnel is established.

If you check Use DHCP on the Configuration | System | Address Management | Assignment screen, you must configure at least one DHCP server here. You should also configure global DHCP parameters on the Configuration | System | IP Routing | DHCP screen; click the highlighted link to go there. The DHCP system within the VPN Concentrator is enabled by default on that screen.

If you want to assign users in a group to a particular IP sub-network, configure the DHCP Scope field on the Configuration | User Management | Group (or Base Group) screen, General tab.

You can configure and prioritize up to three DHCP servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative.

Figure 5-22 Configuration | System | Servers | DHCP Screen

DHCP ServersThe DHCP Servers list shows the configured servers, in priority order. Each entry shows the server identifier, which can be an IP address or a host name, for example: 192.168.12.34. If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | DHCP

Add / Modify / Delete / MoveTo configure a new DHCP server, click Add. The Manager opens the Configuration | System | Servers | DHCP | Add screen.

To modify a configured DHCP server, select the server from the list and click Modify. The Manager opens the Configuration | System | Servers | DHCP | Modify screen.

To remove a configured DHCP server, select the server from the list and click Delete.


The Manager refreshes the screen and shows the remaining entries in the DHCP Servers list.

Note If you delete a DHCP server, any IP addresses obtained from that server will eventually time out, and the associated sessions will terminate.

To change the priority order for configured servers, select the entry from the list and click Move [Up Arrow] or Move [Down Arrow]. The Manager refreshes the screen and shows the reordered DHCP Servers list.

Reminder:



78-15731-01

Chapter 5 ServersConfiguration | System | Servers | DHCP | Add or Modify

Configuration | System | Servers | DHCP | Add or ModifyThese screens let you:

• Add: Configure and add a new DHCP server to the list of configured servers.

• Modify: Modify the parameters for a configured DHCP server.

Figure 5-23 Configuration | System | Servers | DHCP | Add or Modify Screen

DHCP ServerEnter the IP address or host name of the DHCP server, for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

Server PortEnter the UDP port number by which you access the DHCP server. The default UDP port number is 67.

Add or Apply / CancelTo add this server to the list of configured DHCP servers, click Add. Or, to apply your changes to this DHCP server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Servers | DHCP screen. Any new server appears at the bottom of the DHCP Servers list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | Servers | DHCP screen, and the DHCP Servers list is unchanged.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Firewall

Configuration | System | Servers | FirewallIf any remote users in any of the groups configured on the VPN Concentrator are receiving their firewall policy from a Zone Labs Integrity Server, specify the host name or IP address of the server here. (See the “Client FW Parameters Tab” under Configuration | User Management | Base Group or Configuration | User Management | Groups | Add or Modify for more information on configuring groups to use a firewall server.)

Figure 5-24 Configuration | System | Servers | Firewall Server Screen

Zone Labs Integrity Servers Enter the host name or the IP address of the Zone Labs Integrity servers from which remote users on this VPN Concentrator derive their firewall policy.

You can configure up to five servers, for redundancy. The VPN Concentrator accepts connections from any server on this list.

Note To use the redundant server feature, all the servers must be in the same cluster and share the same Oracle or Microsoft SQL authentication database.

Failure PolicySpecify how the VPN Concentrator should treat connection requests should the firewall server fail.

• Permit Access = Allow connections to be established. Existing sessions can continue.

• Deny Access = Refuse connection requests. Terminate existing sessions.

– min = Specify how many minutes to wait after the firewall server fails before terminating existing sessions.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | Firewall

Server PortAssign a port for the VPN Concentrator to use to communicate with the firewall server. The default port is 5054.

SSL Client AuthenticationCheck the SSL Client Authentication check box to require the VPN Concentrator to authenticate the firewall server. Requiring authentication provides added security. By default, this option is unchecked.

If you enable this option, generate an SSL certificate on the Zone Labs Integrity server before you connect it to the VPN Concentrator.

SSL client authentication goes into effect automatically only after you save the configuration file and reboot the VPN Concentrator. If you do not want to reboot the VPN Concentrator, you can perform this manual procedure to activate SSL client authentication immediately:

Step 1 On the VPN Concentrator Manager:

a. Click Apply to commit the changes on this screen.

b. Save the VPN Concentrator configuration file by clicking the Save icon.

Step 2 On the Zone Labs Integrity server:

a. Generate an SSL certificate.

b. Connect the Integrity server to the VPN Concentrator by configuring the VPN Concentrator to be the Integrity server’s gateway device. No client authentication takes place during this initial connection.

Step 3 On the operating system of the device that hosts the Integrity server:

a. Stop the service, thus forcing the Integrity server to disconnect from the VPN Concentrator.

b. Restart the service. During this connection, the VPN Concentrator authenticates the client.

Step 4 On the VPN Concentrator:

a. Verify that the server authenticated and connected properly by checking the event log on the VPN Concentrator.

Apply/CancelTo include your entry in the active configuration, click Apply. The Manager returns to the Configuration | System | Server screen.

Reminder:


To discard your entry, click Cancel. The Manager returns to the Configuration | System | Server screen and the server configuration is unchanged.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | NBNS

Configuration | System | Servers | NBNS This section of the Manager lets you configure NetBIOS Name Service (NBNS) servers that the VPN Concentrator queries to map a NetBIOS name to an IP address.

WebVPN requires NetBIOS to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific NetBIOS name that identifies a resource on the network.

To make the NBNS function operational, you must configure at least one NetBIOS server (host). You can configure up to 3 NBNS servers for redundancy. The first available server on the list acts as the backup if the active server fails.

Figure 5-25 Configuration | System | Servers | NBNS Screen

EnabledTo use NBNS functions, check the Enabled check box. To disable NBNS, uncheck the box.

Server TypeClick the Server Type drop-down menu button and select the type of server you want to use.

• WINS servers

• Master Browser

Primary NBNS ServerEnter the IP address of the primary NBNS server, using dotted decimal notation, for example: 192.168.12.34.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | NBNS

Secondary NBNS ServerEnter the IP address of the secondary (first backup) NBNS server, using dotted decimal notation. If the primary NBNS server does not respond to a query within the Timeout Period specified, the system queries this server.

Tertiary NBNS ServerEnter the IP address of the tertiary (second backup) NBNS server, using dotted decimal notation. If the secondary NBNS server does not respond to a query within the Timeout Period specified, the system queries this server.

Timeout PeriodEnter the initial time in seconds to wait for a response to an NBNS query before sending the query to the next server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. The time doubles with each retry cycle through the list of servers.

Timeout RetriesEnter the number of times to retry sending a NBNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Apply / CancelTo apply your settings for NBNS servers and include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Servers screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | Servers screen.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | NTP

Configuration | System | Servers | NTP This section of the Manager lets you configure NTP (Network Time Protocol) servers that the VPN Concentrator queries to synchronize with network time.

Clocks in many computers tend to drift a few seconds per day. Exact time synchronization is important for systems on a network so that protocol timestamps and events are accurate. Digital certificates, for example, carry a timestamp that determines a time frame for their validity. An inaccurate time or date could prevent connection.

To make the NTP function operational, you must configure at least one NTP server (host). You can configure up to 10 NTP servers. The VPN Concentrator queries all of them and synchronizes its system clock with the derived network time.

Figure 5-26 Configuration | System | Servers | NTP Screen


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | NTP | Parameters

Configuration | System | Servers | NTP | ParametersThis Manager screen lets you configure the NTP synchronization frequency parameter. This parameter specifies how often the VPN Concentrator queries NTP servers to synchronize its clock with network time.

Figure 5-27 Configuration | System | Servers | NTP | Parameters Screen

Sync FrequencyEnter the synchronization frequency in minutes. The minimum is frequency is 0 minutes, which disables the NTP function. The default frequency is 60 minutes. The maximum frequency is 10080 minutes (1 week).

Apply / CancelTo apply your NTP parameter setting and include the setting in the active configuration, click Apply. The Manager returns to the Configuration | System | Servers | NTP screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | Servers | NTP screen.


78-15731-01

Chapter 5 ServersConfiguration | System | Servers | NTP | Hosts

Configuration | System | Servers | NTP | HostsThis section of the Manager lets you add, modify, and delete NTP hosts (servers).

To make the NTP function operational, you must configure at least one NTP host. You can configure a maximum of 10 hosts. The VPN Concentrator queries all configured hosts and derives the correct network time from their responses.

Figure 5-28 Configuration | System | Servers | NTP | Hosts Screen

NTP HostsThe NTP Hosts list shows the configured servers. Each entry shows the server identifier, which can be an IP address or a host name, for example: 192.168.12.34. If no servers have been configured, the list shows --Empty--.

Add / Modify / DeleteTo configure a new NTP host (server), click Add. The Manager opens the Configuration | System | Servers | NTP | Hosts | Add screen.

To modify a configured NTP host, select the host from the list and click Modify. The Manager opens the Configuration | System | Servers | NTP | Hosts | Modify screen.

To remove a configured NTP host, select the host from the list and click Delete.


The Manager refreshes the screen and shows the remaining entries in the NTP Hosts list.

Reminder:



78-15731-01

Chapter 5 ServersConfiguration | System | Servers | NTP | Hosts | Add or Modify

Configuration | System | Servers | NTP | Hosts | Add or ModifyThese screens let you:

• Add a new NTP host to the list of configured hosts.

• Modify a configured NTP host.

Figure 5-29 Configuration | System | Servers | NTP | Hosts | Add or Modify Screen

NTP HostEnter the IP address or host name of the NTP host (server), for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

Add or Apply / CancelTo add this host to the list of configured NTP hosts, click Add. Or, to apply your changes to a configured NTP host, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Servers | NTP | Hosts screen. Any new host appears at the bottom of the NTP Hosts list.

Reminder:


To discard your entry, click Cancel. The Manager returns to the Configuration | System | Servers | NTP | Hosts screen, and the NTP Hosts list is unchanged.


78-15731-01

C


H A P T E R 6
Address Management
IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network; and once that connection is made, the second set connects client and server through the VPN tunnel.

In VPN Concentrator address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of VPN Concentrator management.

Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme, that let the client function as a tunnel endpoint.


Chapter 6 Address ManagementConfiguration | System | Address Management

Configuration | System | Address ManagementThis section of the VPN 3000 Concentrator Series Manager lets you configure options for assigning addresses to clients as a tunnel is established. A client must have an IP address to function as a tunnel endpoint.

• Assignment configures the prioritized methods for assigning IP addresses.

• Pools configures the internal address pools from which you can assign IP addresses.

Figure 6-1 Configuration | System | Address Management Screen


78-15731-01

Chapter 6 Address ManagementConfiguration | System | Address Management | Assignment

Configuration | System | Address Management | AssignmentThis screen lets you select prioritized methods for assigning IP addresses to clients as a tunnel is established. The VPN Concentrator tries the selected methods in the order listed until it finds a valid IP address to assign. You must select at least one method; you can select any and all methods. There are no default methods.

If you assign addresses from a non-local subnet, you must add routes for those subnets pointing to the VPN Concentrator on your internal routers.

Figure 6-2 Configuration | System | Address Management | Assignment Screen

Use Client AddressCheck the Use Client Address check box to let the client specify its own IP address. For maximum security, we recommend that you control IP address assignment and not use client-specified IP addresses. Do not check only this box if you are using IPSec, since IPSec does not allow client-specified IP addresses.

Make sure the setting here is consistent with the setting for Use Client Address on the PPTP/L2TP Parameters tab on the Configuration | User Management | Base Group screen. A different Use Client Address setting for specific groups and users overrides the setting here and on the base group screen. See the Configuration | User Management screens.

Use Address from Authentication ServerCheck the Use Address from Authentication Server check box to assign IP addresses retrieved from an authentication server on a per-user basis. If you are using an authentication server (external or internal) that has IP addresses configured, we recommend using this method.

Check this box if you enter an IP Address and Subnet Mask on the Identity Parameters tab on the Configuration | User Management | Users | Add or Modify screens (which means you are using the internal authentication server).


78-15731-01

Chapter 6 Address ManagementConfiguration | System | Address Management | Assignment

Use DHCPCheck the Use DHCP check box to obtain IP addresses from a DHCP (Dynamic Host Configuration Protocol) server.

If you use DHCP, configure the server on the Configuration | System | Servers | DHCP and Configuration | System | IP Routing | DHCP screens.

Use Address PoolsCheck the Use Address Pools check box to have the VPN Concentrator assign IP addresses from an internally configured pool. Internally configured address pools are the easiest method of address pool assignment to configure.

If you use this method, configure the IP address pools on the Configuration | System | Address Management | Pools screens.

Apply / CancelTo include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Address Management screen.

Reminder:


To discard your settings or changes, click Cancel. The Manager returns to the Configuration | Address Management screen.


78-15731-01

Chapter 6 Address ManagementConfiguration | System | Address Management | Pools

Configuration | System | Address Management | PoolsThis section of the Manager lets you configure IP address pools from which the VPN Concentrator assigns addresses to clients. If you check Use Address Pools on the Configuration | System | Address Management | Assignment screen, you must configure at least one address pool. The IP addresses in the pools must not be assigned to other network resources.

Figure 6-3 Configuration | System | Address Management | Pools Screen

IP Pool EntryThe IP Pool Entry list shows each configured address pool as an address range, for example: 10.10.147.100 to 10.10.147.177. If no pools have been configured, the list shows --Empty--. The pools are listed in the order they are configured. The system uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on.

If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.

Add / Modify / DeleteTo configure a new IP address pool, click Add. The Manager opens the Configuration | System | Address Management | Pools | Add screen.

To modify an IP address pool that has been configured, select the pool from the list and click Modify. The Manager opens the Configuration | System | Address Management | Pools | Modify screen.

To delete an IP address pool that has been configured, select the pool from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining pools in the list.

Reminder:



78-15731-01

Chapter 6 Address ManagementConfiguration | System | Address Management | Pools | Add or Modify

Configuration | System | Address Management | Pools | Add or Modify

These screens let you:

• Add a new pool of IP addresses from which the VPN Concentrator assigns addresses to clients.

• Modify an IP address pool that you have previously configured.

The IP addresses in the pool range must not be assigned to other network resources.

Figure 6-4 Configuration | System | Address Management | Pools | Add or Modify Screen

Range StartEnter the first IP address available in this pool. Use dotted decimal notation, for example: 10.10.147.100.

Range EndEnter the last IP address available in this pool. Use dotted decimal notation, for example: 10.10.147.177.

Add or Apply / CancelTo add this IP address pool to the list of configured pools, click Add. Or to apply your changes to this IP address pool, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Address Management | Pools screen. Any new pool appears at the end of the IP Pool Entry list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | Address Management | Pools screen, and the IP Pool Entry list is unchanged.


78-15731-01

C


H A P T E R 7
IP Routing
In a typical installation, the VPN Concentrator is connected to the public network through an external router, which routes data traffic between networks, and it might also be connected to the private network through a router.

The VPN Concentrator itself includes an IP routing subsystem with static routing, RIP (Routing Information Protocol), and OSPF (Open Shortest Path First) functions. RIP and OSPF are routing protocols that routers use for messages to other routers within an internal or private network, to determine network connectivity, status, and optimum paths for sending data traffic.

After the IP routing subsystem establishes the data paths, the routing itself occurs at wire speed. The subsystem looks at the destination IP address in all packets coming through the VPN Concentrator, even tunneled ones, to determine where to send them. If the packets are encrypted, it sends them to the appropriate tunneling protocol subsystem (PPTP, L2TP, IPSec) for processing and subsequent routing. If the packets are not encrypted, it routes them in accordance with the configured IP routing parameters.

To route packets, the subsystem uses learned routes first (learned from RIP and OSPF), then static routes, then uses the default gateway. If you do not configure the default gateway, the subsystem drops packets that it cannot otherwise route. The VPN Concentrator also provides a tunnel default gateway, which is a separate default gateway for tunneled traffic only.

You configure static routes, the default gateways, and system-wide OSPF parameters in this section. This section also includes the system-wide DHCP (Dynamic Host Configuration Protocol) parameters. You configure RIP and interface-specific OSPF parameters on the network interfaces; see Configuration | Interfaces.

This section of the Manager also lets you configure VPN Concentrator redundancy using VRRP (Virtual Router Redundancy Protocol). This feature applies to installations of two or more VPN Concentrators in a parallel, redundant configuration. It provides automatic switchover to a backup system in case the primary system is out of service, thus ensuring user access to the VPN. This feature supports user access via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP client connections.


Chapter 7 IP RoutingConfiguration | System | IP Routing

Configuration | System | IP RoutingThis section of the Manager lets you configure system-wide IP routing parameters:

• Static Routes: Manually configured routing tables.

• Default Gateways: Routes for otherwise unrouted traffic.

• OSPF: Open Shortest Path First routing protocol.

• OSPF Areas: Subnet areas within the OSPF domain.

• DHCP: Dynamic Host Configuration Protocol global parameters for DHCP Proxy and DHCP relay.

• Redundancy: Virtual Router Redundancy Protocol parameters.

• Reverse Route Injection: Reverse Route Injection global parameters.

You configure RIP and interface-specific OSPF parameters on the network interfaces; click the highlighted link to go to the Configuration | Interfaces screen.

Figure 7-1 Configuration | System | IP Routing Screen


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | Static Routes

Configuration | System | IP Routing | Static RoutesThis section of the Manager lets you configure static routes for IP routing. You usually configure static routes for private networks that cannot be learned via RIP or OSPF.

Figure 7-2 Configuration | System | IP Routing | Static Routes Screen

Static RoutesThe Static Routes list shows manual IP routes that have been configured. The format is [destination network address/subnet mask -> outbound destination], for example: 192.168.12.0/255.255.255.0 -> 10.10.0.2. If you have configured the default gateway, it appears first in the list as Default -> default router address. If no static routes have been configured, the list shows --Empty--.

Note The following static routing table limitations exist on the various platforms. The ability to populate all routes will depend on having sufficient system memory.3002 - 75 routes3005 - 350 routes with 32 MB; 700 routes with 64 MB30XX - 10,240 routesWhen the routing table is full, the following message appears in the log:12539 08/30/2001 22:07:55.270 SEV=2 IP/26 RPT=12Routing Table Full, add new route failed.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | Static Routes

Add / Modify / DeleteTo configure and add a new static route, click Add. The Manager opens the Configuration | System | IP Routing | Static Routes | Add screen.

To modify a configured static route, select the route from the list and click Modify. The Manager opens the Configuration | System | IP Routing | Static Routes | Modify screen. If you select the default gateway, the Manager opens the Configuration | System | IP Routing | Default Gateways screen.

To delete a configured static route, select the route from the list and click Delete.

Note There is no confirmation and no undo.

The Manager refreshes the screen and shows the remaining static routes in the list. You cannot delete the default gateways here; to do so, see the Configuration | System | IP Routing | Default Gateways screen.

Reminder:



78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | Static Routes | Add or Modify

Configuration | System | IP Routing | Static Routes | Add or Modify

These Manager screens let you:

• Add: Configure and add a new static, or manual, route to the IP routing table.

• Modify: Modify the parameters for a configured static route.

Figure 7-3 Configuration | System | IP Routing | Static Routes | Add or Modify Screen

Network AddressEnter the destination network IP address to which this static route applies. Packets with this destination address will be sent to the destination you enter. Used dotted decimal notation, for example: 192.168.12.0.

Subnet MaskEnter the subnet mask for the destination network IP address. Use dotted decimal notation, for example: 255.255.255.0. The subnet mask indicates which part of the IP address represents the network and which part represents hosts. The router subsystem looks at only the network part.

The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.0 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed here, since that would resolve to the equivalent of a default gateway.

MetricEnter the metric, or cost, for this route. Use a number from 1 to 16, where 1 is the lowest cost. The routing subsystem always tries to use the least costly route. For example, if a route uses a low-speed line, you might assign a high metric so the system will use it only if all high-speed routes are unavailable.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | Static Routes | Add or Modify

DestinationClick a radio button to choose the outbound destination for these packets. You can choose only one destination: either a specific router/gateway, or a VPN Concentrator interface.

Router Address

Enter the IP address of the specific router or gateway to which to route these packets; that is, the IP address of the next hop between the VPN Concentrator and the ultimate destination of the packet. Use dotted decimal notation, for example: 10.10.0.2.

Interface

Click the Interface drop-down menu button and choose a configured VPN Concentrator interface as the outbound destination. The menu lists all interfaces that have been configured. The default interface for a static route is the Ethernet 2 (Public) interface.

For example, in a LAN-to-LAN configuration where remote-access clients are assigned IP addresses that are not on the private network, you could configure a static route with those addresses outbound to the Ethernet 1 (Private) interface. The clients could then access the peer VPN Concentrator and its networks.

Add or Apply / CancelTo add a new static route to the list of configured routes, click Add. Or to apply your changes to a static route, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | System | IP Routing | Static Routes screen. Any new route appears at the bottom of the Static Routes list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing | Static Routes screen, and the Static Routes list is unchanged.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | Default Gateways

Configuration | System | IP Routing | Default GatewaysThis screen lets you configure the default gateway for IP routing, and configure the tunnel default gateway for tunneled traffic. You use this same screen both to initially configure and to change default gateways. You can also configure the default gateway on the Configuration | Quick | System Info screen.

The IP routing subsystem routes data packets first using learned routes, then static routes, then the default gateway. If you do not specify a default gateway, the system drops packets it cannot otherwise route.

For tunneled data, if the system does not know a destination address, it tries to route the packet to the tunnel default gateway first. If that route is not configured, it uses the regular default gateway.

Figure 7-4 Configuration | System | IP Routing | Default Gateways Screen

Default GatewayEnter the IP address of the default gateway or router. Use dotted decimal notation, for example: 192.168.12.77. This address must not be the same as the IP address configured on any VPN Concentrator interface. If you do not use a default gateway, enter 0.0.0.0 (the default entry).

To delete a configured default gateway, enter 0.0.0.0.

The default gateway must be reachable from a VPN Concentrator interface, and it is usually on the public network. The Manager displays a warning screen if you enter an IP address that is not on one of its interface networks, and it displays a dialog box if you enter an IP address that is not on the public network.

MetricEnter the metric, or cost, for the route to the default gateway. Use a number from 1 to 16, where 1 is the lowest cost. The routing subsystem always tries to use the least costly route. For example, if this route uses a low-speed line, you might assign a high metric so the system will use it only if all high-speed routes are unavailable.


78-15731-01


Tunnel Default GatewayEnter the IP address of the default gateway for tunneled data. Use dotted decimal notation, for example: 10.10.0.2. If you do not use a tunnel default gateway, enter 0.0.0.0 (the default entry).

To delete a configured tunnel default gateway, enter 0.0.0.0.

This gateway is often a firewall in parallel with the VPN Concentrator and between the public and private networks. The tunnel default gateway applies to all tunneled traffic, including IPSec LAN-to-LAN traffic.

Note If you use an external device instead of the VPN Concentrator for NAT (Network Address Translation), you must configure the tunnel default gateway.

About the Tunnel Default Gateway

When you configure a tunnel default gateway, the VPN Concentrator forwards the tunnel-to-tunnel traffic to the tunnel default gateway. That device redirects the traffic back through the VPN Concentrator en route to its destination.

Redirecting traffic out the same interface that received it is sometimes called hairpinning. Some devices, such as the PIX Firewall, do not support hairpinning.

Overriding the Tunnel Default Gateway

Release 4.1 lets you define a filter rule to override a tunnel default gateway. This lets the VPN Concentrator, rather than the tunnel default gateway, hairpin the traffic. Use this feature when the tunnel default gateway does not support hairpinning.

Figure 7-5 illustrates this concept.

• The solid lines show the tunnel default gateway hairpinning the traffic.

• The dashed lines show the VPN Concentrator hairpinning the traffic when it applies a filter rule that overrides a tunnel default gateway.

Figure 7-5 Tunnel Default Gateway

To hairpin traffic through a VPN Concentrator:

1049

65

TunnelDefault

Gateway

DefaultGatewayVPN 3000

Client 1

Client 2


78-15731-01


Step 1 Create a filter rule (Configuration | Policy Management | Traffic Management | Rules | Add).

• Set the direction for the rule as Inbound.

• Set the Action as Override Tunnel Default Gateway or Override Tunnel Default Gateway and Log.

• Set the destination as the network or network list that identifies IP addresses to retunnel.

• Note that you can set specific kinds of traffic (TCP, ICMP, ESP, for example) for the rule.

Step 2 Create a filter (Configuration | Policy Management | Traffic Management | Filters | Add).

• Set the Default Rule to Forward.

• Add to the filter the filter rule you created in Step 1.

Step 3 Apply the filter to the appropriate group(s) (Configuration | User Management | Base Group/Groups | Add/Modify | General tab). This applies to both remote access and LAN-to-LAN groups.

Step 4 If you want traffic travelling in both directions to override the tunnel default gateway, you may need to apply the filter to multiple groups .

Override Default GatewayTo allow default gateways learned via RIP or OSPF to override the configured default gateway, check the Override Default Gateway check box (the default). To always use the configured default gateway, uncheck the box.

Apply / CancelTo apply the settings for default gateways, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen. If you configure a Default Gateway, it also appears in the Static Routes list on the Configuration | System | IP Routing | Static Routes screen.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | OSPF

Configuration | System | IP Routing | OSPFThis screen lets you configure system-wide parameters for the OSPF (Open Shortest Path First) routing protocol. You must also configure interface-specific OSPF parameters on the Configuration | Interfaces screens.

OSPF is a protocol that the IP routing subsystem uses for messages to other OSPF routers within an internal or private network, to determine network connectivity, status, and optimum paths for sending data traffic. The VPN Concentrator supports OSPF version 2 (RFC 2328).

The complete private network is called an OSPF Autonomous System (AS), or domain. The subnets within the AS are called areas. You configure OSPF areas on the Configuration | System | IP Routing | OSPF Areas screens.

Figure 7-6 Configuration | System | IP Routing | OSPF Screen

EnabledTo enable the VPN Concentrator OSPF router, check the Enabled check box. (By default it is unchecked.) You must also enter a Router ID. You must check this box for OSPF to work on any interface that uses it.

To change a configured Router ID, you must disable OSPF here.

To enable OSPF routing on an interface, you must also configure and enable OSPF on the appropriate Configuration | Interfaces screen.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | OSPF

Router IDThe router ID uniquely identifies the VPN Concentrator OSPF router to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier and not an address. By convention, however, this identifier is the same as the IP address of the interface that is connected to the OSPF router network.

Enter the router ID in the field. Use dotted decimal IP address format, for example: 10.10.4.6. The default entry is 0.0.0.0 (no router configured). If you enable the OSPF router, you must enter an ID.

Note Once you configure and apply a router ID, you must disable OSPF before you can change it. You cannot change the ID back to 0.0.0.0.

Autonomous SystemAn OSPF Autonomous System (AS), or domain, is a complete internal network. An AS boundary router exchanges routing information with routers belonging to other Autonomous Systems, and advertises external AS routing information throughout its AS. If you are using reverse route injection (RRI) with OSPF, you must enable Autonomous System.

Check the Autonomous System check box to indicate that the VPN Concentrator OSPF router is the boundary router for an Autonomous System. If you check this box, the VPN Concentrator also redistributes RIP and static routes into the OSPF areas. By default, the box is unchecked.

Apply / CancelTo apply your OSPF settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | IP Routing screen.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | OSPF Areas

Configuration | System | IP Routing | OSPF AreasThis section of the Manager lets you configure OSPF areas, which are the subnets within an OSPF Autonomous System or domain. You should configure entries for all areas connected to this VPN Concentrator OSPF router.

You can also identify an OSPF area on a VPN Concentrator network interface (see Configuration | Interfaces). Those area identifiers appear in the OSPF Area list on this screen.

Figure 7-7 Configuration | System | IP Routing | OSPF Areas Screen

OSPF AreaThe OSPF Area list shows identifiers for all areas that are connected to this VPN Concentrator OSPF router. The format is the same as a dotted decimal IP address, for example: 10.10.0.0. The default entry is 0.0.0.0. This entry identifies a special area known as the backbone that contains all area border routers, which are the routers connected to multiple areas.

Add / Modify / DeleteTo configure and add a new OSPF area, click Add. The Manager opens the Configuration | System | IP Routing | OSPF Areas | Add screen.

To modify a configured OSPF area, select the area from the list and click Modify. The Manager opens the Configuration | System | IP Routing | OSPF Areas | Modify screen.

To delete a configured OSPF area, select the area from the list and click Delete.


The Manager refreshes the screen and shows the remaining entries in the OSPF Area list.

Reminder:



78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | OSPF Areas | Add or Modify

Configuration | System | IP Routing | OSPF Areas | Add or ModifyThese Manager screens let you:

• Add: Configure and add an OSPF area.

• Modify: Modify parameters for a configured OSPF area.

Note Once you have configured an OSPF Area, you cannot modify its ID. To change an area ID, delete the existing area and add a new one.

Figure 7-8 Configuration | System | IP Routing | OSPF Areas | Add or Modify Screen

Area ID• Add: Enter the area ID in the field. Use IP address dotted decimal notation, for example: 10.10.0.0.

The default entry is 0.0.0.0, the backbone.

• Modify: Once you have configured an area ID, you cannot change it. See preceding note.

The Area ID identifies the subnet area within the OSPF Autonomous System or domain. While its format is the same as an IP address, it functions only as an identifier and not an address. The 0.0.0.0 area ID identifies a special area—the backbone—that contains all area border routers.

Area SummaryCheck the Area Summary check box to have the OSPF router generate and propagate summary LSAs (Link-State Advertisements) into OSPF stub areas. LSAs describe the state of the router’s interfaces and routing paths. Stub areas contain only final-destination hosts and do not pass traffic through to other areas. Sending LSAs to them is usually not necessary. By default this box is unchecked.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | OSPF Areas | Add or Modify

External LSA ImportClick the External LSA Import drop-down menu button and choose whether to bring in LSAs from neighboring Autonomous Systems. LSAs describe the state of the AS router’s interfaces and routing paths. Importing those LSAs builds a more complete link-state database, but it requires more processing. The choices are:

• External = Yes, import LSAs from neighboring ASs (the default).

• No External = No, do not import external LSAs.

Add or Apply / CancelTo add this OSPF area to the list of configured areas, click Add. Or to apply your changes to this OSPF area, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | IP Routing | OSPF Areas screen. Any new entry appears at the bottom of the OSPF Area list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | IP Routing | OSPF Areas screen, and the OSPF Area list is unchanged.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | DHCP Parameters

Configuration | System | IP Routing | DHCP ParametersThis screen lets you configure DHCP (Dynamic Host Configuration Protocol) Proxy parameters that apply to DHCP functions within the VPN Concentrator. You can use external DHCP servers to assign IP addresses to the VPN tunnel as it is established.

If you check the Use DHCP check box on the Configuration | System | Address Management | Assignment screen, you must configure at least one DHCP server on the Configuration | System | Servers | DHCP screens. You configure global DHCP parameters here.

Figure 7-9 Configuration | System | IP Routing | DHCP Parameters Screen

EnabledCheck the Enabled check box to enable DHCP Proxy, which allows the VPN tunnel to get its IP address from a DHCP server. The box is checked by default.

Lease TimeoutEnter the timeout in minutes for addresses that are obtained from a DHCP server. The minimum timeout is 5 minutes. The default is 120 minutes. The maximum is 500000 minutes. DHCP servers “lease” IP addresses for this period of time. Before the lease expires, the VPN Concentrator asks to renew it on behalf of the client. If for some reason the lease is not renewed, the connection terminates when the lease expires. The DHCP server’s lease period takes precedence over this setting.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | DHCP Parameters

Listen PortEnter the UDP port number on which DHCP server response messages are accepted. The default is 67, which is the well-known port. To ensure proper communication with DHCP servers, we strongly recommend that you not change this default.

Timeout PeriodEnter the initial time in seconds to wait for a response to a DHCP request before sending the request to the next configured DHCP server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. This time doubles with each cycle through the list of configured DHCP servers.

Apply / CancelTo apply the settings for DHCP parameters, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.

Reminder:




78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | DHCP Relay

Configuration | System | IP Routing | DHCP RelayDHCP relay lets VPN clients, particularly wireless clients, obtain a network configuration from a DHCP server on the VPN Concentrator’s private network before creating a VPN tunnel. The client sends a DHCP request to the public or external network. The VPN Concentrator receives the DHCP request on its public or external interface, and forwards the request. To respond with a DHCP offer, one or more DHCP servers on the corporate network must have an IP address scope for the public network. When the DHCP server does respond with a DHCP offer, the VPN client and the DHCP server then proceed with DHCP negotiations, with the VPN Concentrator acting as a router, relaying DHCP messages between them.

The primary benefit of DHCP relay is that you do not have to maintain a separate DHCP server for VPN clients. For DHCP relay to work, however, the VPN Concentrator allows unauthenticated DHCP traffic through the VPN Concentrator. This poses a potential security risk, for example, vulnerability to denial of service attacks by requesting all available DHCP addresses, or by exhausting CPU and/or network bandwidth. You should be aware of these security issues.

Note To enable DHCP relay, you must also assign the DHCP In and DHCP Out rules to the interface filter in the Configuration | Policy Management | Traffic Management | Filters screen.

EnabledCheck the Enabled check box to enable DHCP relay on the VPN Concentrator.


78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | DHCP Relay

DHCP Info TransmissionThis parameter determines how the VPN Concentrator transmits DHCP requests. Select one of these options:

• Broadcast to all interfaces = DHCP requests that come in the public interface are broadcast out the private and external interfaces. DHCP requests that come in the external interface are broadcast out the private interface.

• Forward to a specific network/host address, including the subnet mask=DHCP requests are sent to a specific network or host. Enter the IP address and subnet mask for the network or host. Remember that the subnet mask for a specific host is 255.255.255.255.

Apply / CancelTo apply the settings for DHCP relay parameters, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.

Reminder:



78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | Redundancy

Configuration | System | IP Routing | RedundancyThis screen lets you configure parameters for Virtual Router Redundancy Protocol (VRRP), which manages automatic switch over from one VPN Concentrator to another in a redundant installation. Automatic switchover provides user access to the VPN even if the primary VPN Concentrator is out of service.

These functions apply only to installations where two or more VPN Concentrators are in parallel. One VPN Concentrator is the master system, and the other(s) are backup systems. A backup system acts as a virtual master system when a switchover occurs.

Note If VRRP is configured on a VPN Concentrator, you cannot also enable load balancing. In a VRRP configuration, the backup device remains idle unless the active VPN Concentrator fails. Load balancing does not permit idle devices.

This feature supports user access via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP client connections.

• For IPSec LAN-to-LAN connections, switchover is fully automatic. Users do not need to do anything. Switchover typically occurs within 3 to 10 seconds.

• For single-user IPSec and PPTP connections, users are disconnected from the failing system but they can reconnect without changing any connection parameters.

Before configuring or enabling VRRP on this screen, you must configure all Ethernet interfaces that apply to your installation, on all redundant VPN Concentrators. See the Configuration | Interfaces screens.

You must also configure identical IPSec LAN-to-LAN parameters on the redundant VPN Concentrators. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens.

Note VRRP cannot be used when DHCP is enabled on the VPN Concentrator’s interfaces. Use static IP addressing when VRRP is enabled.

In a VRRP configuration, if the public or private interface of the master system goes down, the other interfaces shut down automatically and the backup VPN device takes over. The backup VPN device takes over only when it stops receiving VRRP messages on both the public and private interfaces.

Some failure cases are not detected by VRRP. If a forwarding device (router or switch) fails on a network connecting the VRRP master and backup devices, the master might not detect the failure at the link level. For example, if you have a Cisco Catalyst switch between the master and backup devices and you shut that switch port down, this shutdown does not bring down the link layer. As long as the link layer is up, the VPN Concentrator does not detect the interface as “DOWN” (appearing on the Configuration | Interfaces screen), and therefore it does not stop sending messages to the backup device on all its interfaces. In this case, because the backup device is still receiving VRRP messages on at least one interface, it does not take over as the master.

Also, when a Cisco Catalyst switch in a VRRP scenario uses Spanning-Tree Protocol (STP), the inherent delays with STP cause a delay in recognizing that a backup VPN Concentrator has taken over as the master. To reduce this delay to 15 seconds, enable Portfast on switches that use STP. To configure Portfast on Cisco switches, refer to the document:

http://www.cisco.com/warp/public/473/12.html


78-15731-01



Figure 7-10 Configuration | System | IP Routing | Redundancy Screen

Enable VRRPCheck the Enable VRRP check box to enable VRRP functions. The box is unchecked by default.

Group IDEnter a number that uniquely identifies this group of redundant VPN Concentrators. This number must be the same on all systems in this group. Use a number from 1 (default) to 255. Since there is rarely more than one virtual group on a LAN, we suggest you accept the default.

Group PasswordEnter a password for additional security in identifying this group of redundant VPN Concentrators. The maximum password length is 8 characters. The Manager shows your entry in clear text, and VRRP advertisements contain this password in clear text. This password must be the same on all systems in this group. Leave this field blank to use no password.

RoleClick the Role drop-down menu button and choose the role of this VPN Concentrator in this redundant group.

• Master = This is the Master system in this group (the default choice). Be sure to configure only one Master system in a group with a given Group ID.

• Backup 1 through Backup 5 = This is a Backup system in this group.


78-15731-01



Advertisement IntervalEnter the time interval in seconds between VRRP advertisements to other systems in this group. Only the Master system sends advertisements; this field is ignored on Backup systems while they remain Backup. The minimum interval is 1 second. The default interval is 1 second. The maximum is 255 seconds. Since a Backup system can become a Master system, we suggest you accept the default for all systems.

Group Shared AddressesEnter the IP addresses that are treated as configured router addresses by all virtual routers in this group. The Manager displays fields only for the Ethernet interfaces that have been configured.

On the Master system, these entries are the IP addresses configured on its Ethernet interfaces, and the Manager supplies them by default.

On a Backup system, the fields are empty by default, and you must enter the same IP addresses as those on the Master system.

1 (Private)The IP address for the Ethernet 1 (Private) interface shared by the virtual routers in this group.

2 (Public)The IP address for the Ethernet 2 (Public) interface shared by the virtual routers in this group.

3 (External)The IP address for the Ethernet 3 (External) interface shared by the virtual routers in this group.

Apply / CancelTo apply the settings for VRRP, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.

Reminder:




78-15731-01

Chapter 7 IP RoutingConfiguration | System | IP Routing | Reverse Route Injection

Configuration | System | IP Routing | Reverse Route InjectionThe VPN Concentrator can automatically add static routes to the routing table and announce these routes to its private network or border routers using OSPF or RIP. This feature is called reverse route injection (RRI). The RRI options that you can configure vary with the type of connection:

• Remote software clients or VPN 3002 Hardware Clients using Client (PAT) mode:

– For individual remote clients, enable the Client Reverse Route Injection option.

– For a group of remote clients, enter an address pool in the Address Pool Hold Down Routes field.

• Remote VPN 3002 Hardware Clients using Network Extension Mode (NEM): enable the Network Extension Reverse Route Injection option.

• LAN-to-LAN connections: see the Routing option on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen.

To add routes to the routing table of the VPN Concentrator without advertising them to the private network, disable routing on the private interface.

To advertise the routes, enable OSPF or RIP on the VPN Concentrator’s private interface. (See the Configuration | Interfaces | Ethernet 1 2 3 screen, RIP or OSPF tabs.)

Figure 7-11 Configuration | System | IP Routing | Reverse Route Injection Screen


78-15731-01


Client Reverse Route Injection

Note This option applies to all remote software clients and VPN 3002 Hardware Clients using Client (PAT) Mode.

Check the Client Reverse Route Injection check box to add host routes for each remote client to the VPN Concentrator routing table. The VPN Concentrator adds a host route when the client connects and deletes it when the client disconnects.

This option adds individual clients; to add address pools, use the Address Pool Hold Down Routes option.

This box is unchecked by default.

Network Extension Reverse Route Injection

Note This option applies only to VPN 3002 Hardware Clients using Network Extension Mode.

Check the Network Extension Reverse Route Injection check box to add a network route for each network behind a VPN 3002 Hardware Client to the routing table on the VPN Concentrator. The VPN Concentrator adds the route when the VPN 3002 connects and deletes the route when it disconnects.

This box is unchecked by default.

Address Pool Hold Down Routes

Note This option applies to all remote software clients and VPN 3002 Hardware Clients using Client (PAT) Mode.

In the Address Pool Hold Down Routes field, enter any hold down routes to add to the VPN Concentrator routing table. You can either enter routes automatically or manually:

• To automatically generate a list of hold down routes based on currently configured address pools, click the Generate Hold Down Routes button. You can then edit this list, if you want.

• If you are entering routes manually, use the following format: n.n.n.n/n.n.n.n; for example, 192.168.90.64/255.255.255.192. Enter each network address/subnet mask pair on a single line.

If you configure both the Client Reverse Route Injection and the Address Pool Hold Down Routes fields, when a remote client connects to the VPN Concentrator, the VPN Concentrator checks first to see if the client address falls under any of the address pool routes listed here. If not, it adds the client’s route to the routing table.


78-15731-01


Generate Hold Down Routes

Note If you have typed any entries into the Address Pool Hold Down Routes window, clicking this button will erase them. If you want to keep these previous entries, copy them to a file or clipboard and paste them back in after clicking the Generate Hold Down Routes button.

Click the Generate Hold Down Routes button to automatically display hold down routes based on configured address pools in the Address Pool Hold Down Routes window.

Apply / CancelTo apply the settings for Reverse Route Injection, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | IP Routing screen.

Reminder:




78-15731-01

C


H A P T E R 8
Management Protocols
The VPN 3000 Concentrator Series includes various built-in servers, using various protocols, that let you perform typical network and system management functions. This section explains how you configure and enable those servers.

Configuration | System | Management ProtocolsThis section of the Manager lets you configure and enable built-in VPN Concentrator servers that provide management functions using:

• FTP: File Transfer Protocol.

• HTTP: Hypertext Transfer Protocol.

• TFTP: Trivial File Transfer Protocol.

• Telnet: Terminal emulation protocol, and Telnet over SSL.

• SNMP: Simple Network Management Protocol.

• SNMP Community Strings: Identifiers for valid SNMP clients.

• XML: Extensible Markup Language.

Figure 8-1 Configuration | System | Management Protocols Screen


Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | FTP

Configuration | System | Management Protocols | FTPThis screen lets you configure and enable the VPN Concentrator’s FTP (File Transfer Protocol) server. When the server is enabled, you can use an FTP client to upload and download files in VPN Concentrator Flash memory.

FTP server login usernames and passwords are the same as those enabled and configured on the Administration | Access Rights | Administrators screens. To protect security, the VPN Concentrator does not allow anonymous FTP login.

The settings here have no effect on FTP backup of event log files. (See Configuration | System | Events | General and FTP Backup.) For those operations, the VPN Concentrator acts as an FTP client.

Figure 8-2 Configuration | System | Management Protocols | FTP Screen

EnableCheck the Enable check box to enable the FTP server. The box is checked by default. Disabling the FTP server provides additional security.

PortEnter the port number that the FTP server uses. The default value is 21.


78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | FTP

Maximum ConnectionsEnter the maximum number of concurrent control connections (sessions) that the FTP server allows. (FTP uses separate connections for control and data transfer during a session.) The minimum number is 1. The default is 5. The maximum is 20.

Apply / CancelTo apply your FTP server settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | Management Protocols screen.


78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | HTTP

Configuration | System | Management Protocols | HTTPThis screen lets you configure and enable the VPN Concentrator’s HTTP server: Hypertext Transfer Protocol. When the server is enabled, you can use a web browser to communicate with the VPN Concentrator.

Note The VPN Concentrator Manager requires either the HTTP or HTTPS server. Clicking Apply, even if you have made no changes on this screen, breaks your HTTP/HTTPS connection and you must restart the Manager session from the login screen.

If you disable either HTTP or HTTPS, and that is the protocol you are currently using, you can reconnect with the other protocol if it is enabled and configured.

If you disable both HTTP and HTTPS, you cannot use a web browser to connect to the VPN Concentrator. Use the Cisco Command Line Interface from the console or a Telnet session.

If you disable HTTPS, you cannot use WebVPN.

Related information:

• For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see “Chapter 1, “Using the VPN Concentrator Manager.”

• To configure SSL and HTTPS parameters, see the Configuration | Tunneling and Security | SSL | screen.

• To install, generate, view, or delete the SSL certificate on the VPN Concentrator, see the Administration | Certificate Management screens.

Figure 8-3 Configuration | System | Management Protocols | HTTP Screen


78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | HTTP

Enable HTTPCheck the Enable HTTP check box to enable the HTTP server. The box is checked by default. You must enable HTTP to install the SSL certificate in the browser initially, so you can thereafter use HTTPS. Disabling the HTTP server provides additional security, but makes system management less convenient. See the preceding notes.

HTTP PortEnter the port number that the HTTP server uses. The default value is 80.

Maximum SessionsEnter the maximum number of concurrent, combined HTTP management sessions that the server allows. The minimum number of sessions is 1. The default number is 4. The maximum number is 10.

Apply / CancelTo apply your HTTP server settings, to include your settings in the active configuration, and to break the current HTTP connection, click Apply. If HTTP is still enabled, the Manager returns to the main login screen. If both HTTP and HTTPS are disabled, you can no longer use the Manager.

Reminder:




78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | TFTP

Configuration | System | Management Protocols | TFTPThis screen lets you configure and enable the VPN Concentrator’s TFTP (Trivial File Transfer Protocol) server. When the server is enabled, you can use a TFTP client to upload and download files in VPN Concentrator Flash memory.

TFTP is similar to FTP, but it has no login procedure and no user interface commands. It allows only file transfers. The lack of a login procedure makes it relatively insecure.

The settings here have no effect on TFTP file transfer from the Administration | File Management | TFTP Transfer screen. For those operations, the VPN Concentrator acts as a TFTP client.

Figure 8-4 Configuration | System | Management Protocols | TFTP Screen

EnableCheck the Enable check box to enable the TFTP server. The box is unchecked by default. Disabling the TFTP server provides additional security.

PortEnter the port number that the TFTP server uses. The default port number is 69.

Maximum ConnectionsEnter the maximum number of simultaneous connections that the TFTP server allows. The minimum number is 1. The default number is 5. The maximum number is 20.


78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | TFTP

TimeoutEnter the timeout in seconds for inactive TFTP connections. The minimum timeout is 1 second. The default is 10 seconds. The maximum is 30 seconds. Change the default value only if you have problems with TFTP transfers.

Apply / CancelTo apply your TFTP settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.

Reminder:




78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | Telnet

Configuration | System | Management Protocols | TelnetThis screen lets you configure and enable the VPN Concentrator’s Telnet terminal emulation server. When the server is enabled, you can use a Telnet client to communicate with the VPN Concentrator. You can fully manage and administer the VPN Concentrator using the Cisco VPN Concentrator Command Line Interface via Telnet.

Telnet server login usernames and passwords are the same as those enabled and configured on the Administration | Access Rights | Administrators screens.

To configure SSL parameters, see the Configuration | Tunneling and Security | SSL screen. To manage the SSL digital certificate, see the Administration | Certificate Management screens.

Figure 8-5 Configuration | System | Management Protocols | Telnet Screen

Enable TelnetCheck the Enable Telnet check box to enable the Telnet server. The box is checked by default. Disabling the Telnet server provides additional security, but doing so prevents using the Cisco VPN Concentrator Command-Line Interface via Telnet.


78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | Telnet

Telnet PortEnter the port number that the Telnet server uses. The default value is 23.

Maximum ConnectionsEnter the maximum number of concurrent Telnet connections that the server allows. The minimum number is 1. The default number is 5. The maximum number is 10.

Apply / CancelTo apply your Telnet settings, and to include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.

Reminder:




78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | SNMP

Configuration | System | Management Protocols | SNMPThis screen lets you configure and enable the VPN Concentrator’s SNMP (Simple Network Management Protocol) server. When the server is enabled, you can use an SNMP client to collect information from the VPN Concentrator but not to configure it.

To use the SNMP server, you must also configure an SNMP Community on the Configuration | System | Management Protocols | SNMP Communities screen.

The settings on this screen have no effect on sending system events to SNMP trap destinations (see Configuration | System | Events | General and Trap Destinations). For those functions, the VPN Concentrator acts as an SNMP client.

Figure 8-6 Configuration | System | Management Protocols | SNMP Screen

EnableCheck the Enable check box to enable the SNMP server. The box is checked by default. Disabling the SNMP server provides additional security.

PortEnter the port number that the SNMP server uses. The default value is 161.


78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | SNMP

Maximum Queued RequestsEnter the maximum number of outstanding queued requests that the SNMP server allows. The minimum number is 1. The default number is 4. The maximum number is 200.

Apply / CancelTo apply your SNMP settings, and to include the settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.

Reminder:




78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | SNMP Communities

Configuration | System | Management Protocols | SNMP Communities

This section of the Manager lets you configure and manage SNMP community strings, which identify valid communities from which the SNMP server will accept requests. A community string is like a password: it validates messages between an SNMP client and the server.

To use the VPN Concentrator SNMP server, you must configure and add at least one community string. You can configure a maximum of 10 community strings. To protect security, the SNMP server does not include the usual default public community string, and we recommend that you not configure it.

Figure 8-7 Configuration | System | Management Protocols | SNMP Communities Screen

Community StringsThe Community Strings list shows SNMP community strings that have been configured. If no strings have been configured, the list shows --Empty--.

Add / Modify / DeleteTo configure and add a new community string, click Add. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Add screen.

To modify a configured community string, select the string from the list and click Modify. The Manager opens the Configuration | System | Management Protocols | SNMP Communities | Modify screen.

To delete a configured community string, select the string from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:



78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | SNMP Communities | Add or Modify

Configuration | System | Management Protocols | SNMP Communities | Add or Modify


• Add: Configure and add a new SNMP community string.

• Modify: Modify a configured SNMP community string.

Figure 8-8 Configuration | System | Management Protocols | SNMP Communities |

Add or Modify Screen

Community StringEnter the SNMP community string. Maximum 31 characters, case-sensitive.

Add or Apply / CancelTo add this entry to the list of configured community strings, click Add. Or to apply your changes to this community string, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Management Protocols | SNMP Communities screen; a new entry appears at the bottom of the Community Strings list.

Reminder:


To discard your entry or changes, click Cancel. The Manager returns to the Configuration | System | Management Protocols | SNMP Communities screen, and the Community Strings list is unchanged.

To apply your SSL settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen.


78-15731-01

Chapter 8 Management ProtocolsConfiguration | System | Management Protocols | XML

Configuration | System | Management Protocols | XMLThis screen lets you configure the VPN Concentrator to support an XML-based management interface. Enabling XML management allows VPN 3000 Concentrators to be more easily managed by a centralized management system. XML is enabled by default. To disable the XML option, clear the check box. To re-enable the XML option, click the check box.

On this screen, you can also configure the VPN Concentrator to enable HTTPS or SSH (or both) on the Concentrator’s Public interface and to lock the XML interface to a specific HTTPS or SSH IP address.

Figure 8-9 Configuration | System | Management Protocols | XML Screen

EnableCheck the Enable check box, the default, to enable the XML management capability. You must also enable HTTPS or SSH on the VPN 3000 Concentrator’s Public interface. Because enabling the XML management capability facilitates managing the VPN 3000 Concentrator by an external management application, do not disable the XML management capability unless you have a specific reason for doing so.


78-15731-01


Enable HTTPS on PublicCheck the Enable HTTPS on Public check box to allow HTML or XML management over HTTPS on the VPN Concentrator’s Public interface. If this field is already checked, and is unselectable, WebVPN and/or HTTPS management (Configuration | Tunneling and Security | SSL | HTTPS) is already enabled on the public interface.

HTTPS IP AddressEnter the IP address from which to allow HTTPS access on the VPN Concentrator’s Public interface.

HTTPS Wildcard-maskEnter the wildcard mask for the HTTPS IP address.

Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has 1s in bit positions to ignore, and 0s in bit positions to match. For example, entering 0.0.0.0 matches the specified address; entering 255.255.255.255 matches all addresses.

Enable SSH on PublicCheck the Enable SSH on Public check box to allow command-line or XML management over Secure Shell (SSH) on the VPN Concentrator’s Public interface.

SSH IP AddressEnter the IP address from which to allow SSH access on the VPN Concentrator’s Public interface.

SSH Wildcard-maskEnter the wildcard mask for the SSH IP address.

Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has 1s in bit positions to ignore, and 0s in bit positions to match. For example, entering 0.0.0.0 matches the specified address; entering 255.255.255.255 matches all addresses.


78-15731-01



78-15731-01

C


H A P T E R 9
Events
An event is any significant occurrence within or affecting the VPN 3000 Concentrator, such as an alarm, trap (an event message sent to an SNMP system is called a “trap”), error condition, network problem, task completion, threshold breach, or status change. The VPN Concentrator records events in an event log, which is stored in nonvolatile memory. You can also specify that certain events trigger a console message, a UNIX syslog record, an e-mail message, or an SNMP management system trap.

Event attributes include class and severity level.

Event ClassEvent class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN Concentrator. Table 9-1 lists the event classes.

Table 9-1 VPN Concentrator Event Classes

Class Name Class Description (Event Source)Cisco-SpecificEvent Class?

AUTH Authentication N

AUTHDBG Authentication debugging Y

AUTHDECODE Authentication protocol decoding Y

AUTOUPDATE Autoupdate subsystem N

BMGT Bandwidth management subsystem Y

BMGTDBG Bandwidth management debugging Y

CAPI Cryptography subsystem N

CERT Digital certificates subsystem including SCEP N

CIFS CIF file access Y

CIFSDBG Cif file access debugging Y

CONFIG Configuration subsystem N

DHCP DHCP subsystem N

DHCPDBG DHCP debugging Y

DHCPDECODE DHCP decoding Y

DM Data Movement subsystem N


Chapter 9 EventsEvent Class

DNS DNS subsystem N

DNSDBG DNS debugging Y

DNSDECODE DNS decoding Y

EVENT Event subsystem N

EVENTDBG Event subsystem debugging Y

EVENTMIB Event MIB changes Y

EXPANSIONCARD Expansion card (module) subsystem N

FILTER Filter subsystem N

FILTERDBG Filter debugging Y

FSM Finite State Machine subsystem (for debugging) Y

FTPD FTP daemon subsystem N

GENERAL NTP subsystem and other general events N

GRE GRE subsystem N

GREDBG GRE debugging Y

GREDECODE GRE decoding Y

HARDWAREMON Hardware monitoring (fans, temperature, voltages, etc.)

N

HTTP HTTP subsystem N

IKE ISAKMP/Oakley (IKE) subsystem N

IKEDBG ISAKMP/Oakley (IKE) debugging Y

IKEDECODE ISAKMP/Oakley (IKE) decoding Y

IP IP router subsystem N

IPDBG IP router debugging Y

IPDECODE IP packet decoding Y

IPSEC IP Security subsystem N

IPSECDBG IP Security debugging Y

IPSECDECODE IP Security decoding Y

L2TP L2TP subsystem N

L2TPDBG L2TP debugging Y

L2TPDECODE L2TP decoding Y

LBSSF Load Balancing subsystem N

MIB2TRAP MIB-II trap subsystem: SNMP MIB-II traps N

OSPF OSPF subsystem N

PPP PPP subsystem N

PPPDBG PPP debugging Y

PPPDECODE PPP decoding Y

Table 9-1 VPN Concentrator Event Classes (continued)



78-15731-01

Chapter 9 EventsEvent Class

Note The Cisco-specific event classes provide information that is meaningful only to Cisco engineering or support personnel. Also, the DBG and DECODE events require significant system resources and might seriously degrade performance. We recommend that you avoid logging these events unless Cisco requests it.

PPTP PPTP subsystem N

PPTPDBG PPTP debugging Y

PPTPDECODE PPTP decoding Y

PSH Operating system command shell N

PSOS Embedded real-time operating system N

QUEUE System queue N

REBOOT System rebooting N

RM Resource Manager subsystem N

SMTP SMTP event handling N

SNMP SNMP trap subsystem N

SSH SSH subsystem N

SSL SSL subsystem N

SYSTEM Buffer, heap, and other system utilities N

TCP TCP subsystem N

TELNET Telnet subsystem N

TELNETDBG Telnet debugging Y

TELNETDECODE Telnet decoding Y

TIME System time (clock) N

VRRP VRRP subsystem N

WebVPN SSL over VPN sessions Y

XML XML N

Table 9-1 VPN Concentrator Event Classes (continued)



78-15731-01

Chapter 9 EventsEvent Severity Level

Event Severity LevelSeverity level indicates how serious or significant the event is,. It indicates how likely it is to cause unstable operation of the VPN concentrator, whether it represents a high-level or low-level operation, or whether it returns little or great detail. Level 1 is most significant. Table 9-2 describes the severity levels.

Within a severity level category, higher-numbered events provide more details than lower-numbered events, without necessarily duplicating the lower-level details. For example, within the Information category, Level 6 provides greater detail than Level 4, but does not necessarily include the same information as Level 4.

Logging higher-numbered severity levels causes performance to deteriorate, since more system resources are used to log and handle these events.

Note The Debug (7–9) and Packet Decode (10–13) severity levels are intended for use by Cisco engineering and support personnel. We recommend that you avoid logging these events unless Cisco requests it.

The VPN Concentrator, by default, displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log. You can change these defaults on the Configuration | System | Events | General screen, and you can configure specific events for special handling on the Configuration | System | Events | Classes screens.

Table 9-2 VPN Concentrator Event Severity Levels

Level Category Description

1 Fault A crash or non-recoverable error.

2 Warning A pending crash or severe problem that requires user intervention.

3 Warning A potentially serious problem that might require user action.

4 Information An information-only event with few details.

5 Information An information-only event with moderate detail.

6 Information An information-only event with greatest detail.

7 Debug Least amount of debugging detail.

8 Debug Moderate amount of debugging detail.

9 Debug Greatest amount of debugging detail.

10 Packet Decode High-level packet header decoding

11 Packet Decode Low-level packet header decoding

12 Packet Decode Hex dump of header

13 Packet Decode Hex dump of packet


78-15731-01

Chapter 9 EventsEvent Log

Event LogThe VPN Concentrator records events in an event log, which is stored in nonvolatile memory. Thus the event log persists even if the system is powered off. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first.

The Model 3015–3080 event log holds 2048 events, the Model 3005 holds 256 events. The log wraps when it is full; that is, newer events overwrite older events when the log is full.

For the event log, you can configure:

• Which event classes and severity levels to log.

• Whether to save the event log to a file in Flash memory when it is full (when it wraps). And if so:

– The format of the information in the saved log file.

– Whether to automatically send a copy of the saved log file via FTP to a remote system.

Event Log DataEach entry (record) in the event log consists of several fields including:

• A sequence number.

• Date and time.

• Event severity level.

• Event class and number.

• Event repetition count.

• Event IP address (only for certain events).

• Description string.

For more information, see the Monitoring | Filterable Event Log screen.


78-15731-01

Chapter 9 EventsConfiguration | System | Event

Configuration | System | EventThis section of the Manager lets you configure how the VPN Concentrator handles events. Events provide information for system monitoring, auditing, management, accounting, and troubleshooting.

Figure 9-1 Configuration | System | Events Screen


78-15731-01

Chapter 9 EventsConfiguration | System | Events | General

Configuration | System | Events | GeneralThis Manager screen lets you configure the general, or default, handling of all events. These defaults apply to all event classes.

You can override these default settings by configuring specific events for special handling on the Configuration | System | Events | Classes screens.

Figure 9-2 Configuration | System | Events | General Screen

Save Log on WrapCheck the Save Log on Wrap check box to automatically save the event log when it is full. (The box is unchecked by default.) The Model 3015–3080 event log holds 2048 events, the Model 3005 holds 256 events. When the log is full, newer events overwrite older events; that is, entry 2049 overwrites entry 1, etc.

If you select automatic save, the system saves the log file to a file in Flash memory with the filename LOGNNNNN.TXT, where NNNNN is an increasing sequence number that starts with 00001 and restarts after 99999. The sequence numbers continue through reboots. For example, if four log files have already been saved, the next one saved after a reboot is LOG00005.TXT.

If Flash memory has less than 2.56 MB of free space, the system deletes the oldest log file(s) to make room for the newest saved log file. It also generates an event that notes the deletion. If there are no old log files to delete, the save function fails, and the system generates an event that notes the failure.


78-15731-01


Each saved log file requires about 334 KB. To conserve space in Flash memory, we recommend that you periodically remove the saved log files. Keeping more than 10 to 12 files wastes space. The Administration | File Management | Files screen shows total, used, and free space in Flash memory.

Note The VPN Concentrator automatically saves the log file if it crashes, and when it is rebooted, regardless of this Save Log on Wrap setting. This log file is named SAVELOG.TXT, and it overwrites any existing file with that name. The SAVELOG.TXT file is useful for debugging.

You can manage saved log files with options on this screen and on the Administration | File Management screens.

Save Log FormatClick the Save Log Format drop-down menu button to specify the format of the saved log files.

• Multiline = Entries are ASCII text and appear on multiple 80-character lines (default). Choose this format for easiest reading and printing.

• Comma Delimited = Each entry is a single record with fields separated by commas. Choose this format for subsequent processing by an application program such as a spreadsheet or accounting system.

• Tab Delimited = Each entry is a single record with fields separated by tab characters. Choose this format for subsequent processing by an application program such as a spreadsheet or accounting system.

Refer to the section on Monitoring | Filterable Event Log in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring for details on event log fields.

FTP Saved Log on WrapCheck the FTP Saved Log on Wrap check box to automatically send the saved event log file, when it wraps, via FTP to a remote computer. (The box is unchecked by default.) This option copies the log file but does not delete it from the VPN Concentrator. If you check this box, you must also configure FTP destination system parameters on the Configuration | System | Events | FTP Backup screen.

E-mail Source AddressEnter the address to put in the From: field of an e-mailed event message. Enter up to 48 alphanumeric characters with no spaces, for example: [email protected]. You should configure this field if you configure any Severity to E-mail events; if you leave it blank, the From: field has the same address as the To: field (the recipient’s e-mail address).


78-15731-01


Syslog FormatClick the Syslog Format drop-down menu button and choose the format for all events sent to syslog servers. Choices are:

• Original = Original VPN Concentrator event format with information on one line. Each entry in the event log consists of the following fields:

Sequence Date Time SEV=Severity Class/Number RPT=RepeatCount String

– Sequence: The sequence number of the event.

– Date: The date the event occurred. The date is in the following format: MM/DD/YYYY.

– Time: The time the event occurred. The time is in the following format: hh:mm:ss.ttt.

– Severity: The severity of the event (1-13). To see how this original severity level maps to Cisco IOS severity levels, see Table 9-3.

– Class/Number: The event class and event number. For a list of event classes, see the “Events” chapter.

– RepeatCount: The number of times this particular event has occurred since the VPN Concentrator was last booted.

– String: The description of the event. The string sometimes includes the IP address of the user whose session generated the event.

For example:

3 12/06/1999 14:37:06.680 SEV=4 HTTP/47 RPT=17 10.10.1.35 New administrator login: admin.

• Cisco IOS Compatible = Event format that is compatible with Cisco syslog management applications. Each entry in the event log is one line consisting of the following fields:

Sequence: Date Time TimeZone TimeZoneOffset %Class-Severity-Number: RPT=RepeatCount: String

– Sequence: The sequence number of the event.

– Date: The date the event occurred. The date is in the following format: YYYY MMM DD.

– Time: The time the event occurred. The time is in the following format: hh:mm:ss.ttt.

– TimeZone: The time zone in which the event occurred.

– TimeZoneOffset: The offset of the time zone from GMT.

– Class: The event class. For a list of event classes, see Table 9-1.

– Severity: The Cisco IOS severity of the event (0-7). Table 9-3 shows the mapping between Cisco IOS format severity levels and Original format severity levels.

– Number: The event number.

– RepeatCount: The number of times this particular event has occurred since the VPN Concentrator was last booted.

– String: The description of the event. The string sometimes includes the IP address of the user whose session generated the event.

For example:

3 1999 Dec 06 14:37:06.680 EDT -4:00 %HTTP-5-47:RPT=17 10.10.1.35: New administrator login: admin.


78-15731-01


The Original severities and the Cisco IOS severities differ. Original severities number from 1-13. (For the meaning of each Original severity, see Table 9-2 on page 9-20.) Cisco IOS severities number from 0-7. Table 9-3 shows the meaning of Cisco IOS severities and how they map to Original severities.

Events to LogClick the Events to Log drop-down menu button and choose the range of event severity levels to enter in the event log by default. The choices are: None, Severity 1, Severities 1-2, Severities 1-3, Severities 1-4, Severities 1-5 and Use Event List. The default is Severities 1-5. Using the default means that all events of severity level 1 through severity level 5 are entered in the event log. If you choose Use Event List, configure the Event List to specify the event types to log.

Events to ConsoleClick the Events to Console drop-down menu button and choose the range of event severity levels to display on the console by default. The choices are: None, Severity 1, Severities 1-2, Severities 1-3, Severities 1-4, Severities 1-5 and Use Event List. The default is Severities 1-3. Using the default means that all events of severity level 1 through severity level 3 are displayed on the console. If you choose Use Event List, configure the Event List to specify the event types to display on the console

Table 9-3 Cisco IOS Severities

Cisco IOS Severity Meaning Original Severity

0 Emergencies 1

1 Alerts Not used

2 Critical 2

3 Errors Not used

4 Warning 3

5 Notification 4

6 Informational 5, 6

7 Debugging 7-13


78-15731-01


Events to SyslogClick the Events to Syslog drop-down menu button and choose the range of event severity levels to send to a syslog server by default. The choices are: None, Severity 1, Severities 1-2, Severities 1-3, Severities 1-4, Severities 1-5 and Use Event List. The default is None. Using the default means that no events are sent to a syslog server. If you choose Use Event List, configure the Event List to specify the event types to send to the syslog server.

If you select any severity levels to send, you must also configure the syslog server(s) on the Configuration | System | Events | Syslog Servers screens.

Events to E-mailClick the Events to E-mail drop-down menu button and choose the range of event severity levels to e-mail to recipients by default. The choices are: None, Severity 1, Severities 1-2, Severities 1-3, and Use Event List. The default is None. Using the default means that no events are sent via e-mail. If you choose Use Event List, configure the Event List to specify the event types to e-mail.

If you select any severity levels events to e-mail, you must also configure an SMTP server on the Configuration | System | Events | SMTP Servers screens, and you must configure e-mail recipients on the Configuration | System | Events | E-mail Recipients screens. You should also configure the preceding E-mail Source Address.

Events to TrapClick the Events to Trap drop-down menu button and choose the range of event severity levels to send to an SNMP network management system by default. Event messages sent to SNMP systems are called “traps.” The choices are: None, Severity 1, Severities 1-2, Severities 1-3, and Use Event List. The default is None: no events are sent as SNMP traps. If you choose Use Event List, configure the Event List to specify the event types to trap.

If you select any severity levels to send, you must also configure SNMP destination system parameters on the Configuration | System | Events | Trap Destinations screens.

The VPN Concentrator can send the standard, or “well-known,” SNMP traps listed in Table 9-4. To have an SNMP NMS receive them, you must configure the events as in the table, and configure a trap destination.

Table 9-4 Configuring “Well-Known” SNMP Traps

To Send this “Well-Known” SNMP Trap

Configure Either General Event Handling or this Event Class With this Severity to Trap

coldStart EVENT 1 or higher

linkDown IP 1-3 or higher

linkUp IP 1-3 or higher

authFailure

(This trap is SNMP authentication failure, not tunnel authentication failure.)

SNMP 1-3 or higher


78-15731-01


Event ListUse the Event List text box to define particular events that you want to track. This feature allows you to pare down the event log to contain just the events that interest you. You can track events by class, severity, or event ID.

You can use this feature in two ways. You can set global defaults to track this customized list, sending the results to your preferred event destination (log, console, syslog, e-mail, or trap). Or, you can override global defaults to track this customized list for an individual event class.

If you want to... Follow these steps:

Set global defaults to track this customized list of events.

• Define the event list, including the event classes, event severities, or particular event IDs to track.

• Choose Use Event List from one or more of the following drop-down menus on the Configuration | System | Events | General page (this page):

– Events to Log

– Events to Console

– Events to Syslog

– Events to E-mail

– Events to Trap

Override any global defaults for a particular event class to track these events only, within that class.

• Define the event list, including the event severities or particular events within the event classes that you want to track.

• On the Configuration | System | Events | Classes page, select the event class you want to modify or add a new one.

• On the Configuration | System | Events | Classes | Add/Modify page, choose Use Event List from one or more of the following drop-down menus:

– Events to Log

– Events to Console

– Events to Syslog

– Events to E-mail

– Events to Trap


78-15731-01


Event List Syntax

Each line in the Event List represents one entry. Each entry has the following format: <Event Class> / <List of Event IDs or Severity Numbers> where:

Note the following rules:

• Separate each entry by a carriage return.

• An event class can appear multiple times on the list. For example:

IKE/SEV(1), SEV(3)IKE/1, 13-45

• You can use spaces and tabs. The VPN Concentrator ignores all white space in the entry.

• Unknown event classes are not treated as errors, so you can use the same Event List across VPN Concentrators running different versions of the software.

The following lines are examples of valid event list entries:

ALL/SEV(1)AUTH/1, 3-8, 22, SEV(2)IKE/SEV(5-6)

Apply / CancelTo include your settings for default event handling in the active configuration, click Apply. The Manager returns to the Configuration | System | Events screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events screen.

Variable Can be... Syntax For exampleEvent Class Any predefined event class Use event class name IKE

All event classes Use keyword “ALL”1 ALL

Event IDs A single event number Use event number 123

A range of event numbers Use hyphen to indicate range

13-45

Severity Numbers

An event severity level or a range of event severity levels.

Use “SEV(L)” where L is the event severity level or the range of event severity levels

SEV(1)

SEV(1-3)

A combination of single events, a range of events, or event severities

IKE/1,13-45,SEV(3)

1. For the ALL event class, you can specify only event severities, not particular event numbers. For example, ALL/SEV(1) is a valid entry; ALL/123 is not.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | FTP Backup

Configuration | System | Events | FTP BackupThis screen lets you configure parameters for using FTP to automatically back up saved event log files on a remote computer. If you enable FTP Saved Log on Wrap on the Configuration | System | Events | General screen, you must configure the FTP parameters on this screen.

The VPN Concentrator acts as an FTP client when executing this function.

Note Another way to back up saved event log files on a remote computer is to enable an external Syslog server.

Figure 9-3 Configuration | System | Events | FTP Backup Screen

FTP ServerEnter the IP address or host name of the destination computer to receive copies of saved event log files via FTP. (If you have configured a DNS server, you can enter a host name; otherwise enter an IP address.)

FTP DirectoryEnter the complete directory path name on the destination computer to receive copies of saved event log files. For example, c:\vpn\logfiles.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | FTP Backup

FTP UsernameEnter the username for FTP login on the destination computer.

FTP PasswordEnter the password to use with the FTP username. The field displays only asterisks.

VerifyRe-enter the FTP password to verify it. The field displays only asterisks.

Apply / CancelTo include your FTP backup system settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Events screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events screen.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | Classes

Configuration | System | Events | ClassesThis section of the Manager lets you add, configure, modify, and delete specific event classes for special handling. You can thus override the general, or default, handling of event classes. For example, you might want to send e-mail for HARDWAREMON events of severity 1 and 2, whereas default event handling does not send any e-mail.

Event classes denote the source of an event and refer to a specific hardware or software subsystem within the VPN Concentrator. Table 9-1 describes the event classes.

Figure 9-4 Configuration | System | Events | Classes Screen

To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.”

Configured Event ClassesThe Configured Event Classes list shows the event classes that have been configured for special handling. The initial default entry is MIB2TRAP, which are SNMP MIB-II events, or “traps,” that you might want to monitor with an SNMP network management system. Other configured event classes are listed in order by class number and name. If no classes have been configured for special handling, the list shows --Empty--.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | Classes

Add / Modify / DeleteTo configure and add a new event class for special handling, click Add. See Configuration | System | Events | Classes | Add.

To modify an event class that has been configured for special handling, select the event class from the list and click Modify. See Configuration | System | Events | Classes | Modify.

To remove an event class that has been configured for special handling, select the event class from the list and click Delete.


The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:



78-15731-01

Chapter 9 EventsConfiguration | System | Events | Classes | Add or Modify

Configuration | System | Events | Classes | Add or ModifyThese screens let you:

• Add and configure the special handling of a specific event class.

• Modify the special handling of a specific event class.

If you chose Use Event List for any of the fields on the Configuration | System | Events | General screen, that default will appear for the same field on this screen. For example, if you chose Use Event List for the Events to Trap field on the Configuration | System | Events | General screen, the Events to Trap field on this screen defaults to Use Event List as well.

Figure 9-5 Configuration | System | Events | Classes | Add or Modify Screen

Class NameAdd screen:

• Click the drop-down menu button and choose the event class you want to add and configure for special handling. (Please note that Select Class is an instruction reminder, not a class. Table 9-1 describes the event classes.

Modify screen:

• The field shows the configured event class you are modifying. You cannot change this field.

All subsequent parameters on this screen apply to this event class only.

EnableCheck the Enable check box to enable the special handling of this event class. (The box is checked by default.)


78-15731-01


Unchecking this box lets you set up the parameters for the event class but activate it later, or temporarily disable special handling without deleting the entry. The Configured Event Classes list on the Configuration | System | Events | Classes screen indicates disabled event classes. Disabled event classes are handled in accordance with the default parameters for all event classes.

Events to LogClick the Events to Log drop-down menu button and choose the range of event severity levels to enter in the event log. Choices are: None, Severity 1, Severities 1-2, Severities 1-3, ..., Severities 1-13, and Use Event List. The default is Severities 1-5. Using the default means that events of severity level 1 through severity level 5 are entered in the event log.

If you choose Use Event List, configure the Event List on the Configuration | System | Events screen to specify which of the particular events in this class you want to log. See Configuration | System | Events | General.

Events to ConsoleClick the Events to Console drop-down menu button and choose the range of event severity levels to display on the console. Choices are: None, Severity 1, Severities 1-2, Severities 1-3, ..., Severities 1-13, and Use Event List. The default is Severities 1-3. Using the default means that events of severity level 1 through severity level 3 are displayed on the console.

If you choose Use Event List, configure the Event List on the Configuration | System | Events page to specify which of the particular events in this class you want to display on the console. See Configuration | System | Events | General.

Events to SyslogClick the Events to Syslog drop-down menu button and choose the range of event severity levels to send to a syslog server. Choices are: None, Severity 1, Severities 1-2, Severities 1-3, ..., Severities 1-13, and Use Event List. The default is None. Using the default means that no events are sent to a syslog server.

Note Sending events to a syslog server generates IP packets, which can generate new events if this setting is above level 9. We strongly recommend that you keep this setting at or below level 6. Avoid setting this parameter above level 9.

If you select any severity levels to send, you must also configure the syslog server(s) on the Configuration | System | Events | Syslog Servers screens, and you should configure the Syslog Format on the Configuration | System | Events | General screen.

If you choose Use Event List, configure the Event List on the Configuration | System | Events page to specify which of the particular events in this class you want to send to the syslog server. See Configuration | System | Events | General.


78-15731-01


Events to E-mailClick the Events to E-mail drop-down menu button and choose the range of event severity levels to send to recipients via e-mail. The choices are: None, Severity 1, Severities 1-2, Severities 1-3, and Use Event List. The default is None: no events are sent via e-mail.

If you select any event severity levels to e-mail, you must also configure an SMTP server on the Configuration | System | Events | SMTP Servers screen, and you must configure e-mail recipients on the Configuration | System | Events | E-mail Recipients screens. You should also configure the E-mail Source Address on the Configuration | System | Events | General screen.

If you choose Use Event List, configure the Event List on the Configuration | System | Events page to specify which of the particular events in this class you want to send. See Configuration | System | Events | General.

Events to TrapClick the Events to Trap drop-down menu button and choose the range of event severity levels to send to an SNMP network management system. Event messages sent to SNMP systems are called “traps.” The choices are: None, Severity 1, Severities 1-2, Severities 1-3, Severities 1-4, Severities 1-5, and Use Event List. The default is None. Using the default means that no events are sent as SNMP traps.

If you select any event severity levels to send, you must also configure SNMP destination system parameters on the Configuration | System | Events | Trap Destinations screens.

To configure “well-known” SNMP traps, see Table 9-4 under Events to Trap for Configuration | System | Events | General.

Add or Apply / CancelTo add this event class to the list of those with special handling, click Add. Or to apply your changes to this configured event class, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Classes screen. Any new event class appears in the Configured Event Classes list.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events | Classes screen.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | Trap Destinations

Configuration | System | Events | Trap DestinationsThis section of the Manager lets you configure SNMP network management systems as destinations of event traps. Event messages sent to SNMP systems are called “traps.” If you configure any event handling—default or special—with values in Severity to Trap fields, you must configure trap destinations in this section.

To configure default event handling, click the highlighted link that says “Click here to configure general event parameters.” To configure special event handling, see the Configuration | System | Events | Classes screens.

To configure well-known SNMP traps, see Table 9-4.

To have an SNMP-based network management system (NMS) receive any events, you must also configure the NMS to see the VPN Concentrator as a managed device or agent in the NMS domain.

Figure 9-6 Configuration | System | Events | Trap Destinations Screen

Trap DestinationsThe Trap Destinations list shows the SNMP network management systems that have been configured as destinations for event trap messages, and the SNMP protocol version associated with each destination. If no trap destinations have been configured, the list shows --Empty--.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | Trap Destinations

Add / Modify / DeleteTo configure a new SNMP trap destination, click Add. See Configuration | System | Events | Trap Destinations | Add.

To modify an SNMP trap destination that has been configured, select the destination from the list and click Modify. See Configuration | System | Events | Trap Destinations | Modify.

To remove an SNMP trap destination that has been configured, select the destination from the list and click Delete.



Reminder:



78-15731-01

Chapter 9 EventsConfiguration | System | Events | Trap Destinations | Add or Modify

Configuration | System | Events | Trap Destinations | Add or Modify


• Add an SNMP destination system for event trap messages.

• Modify a configured SNMP destination system for event trap messages.

Figure 9-7 Configuration | System | Events | Trap Destinations | Add or Modify Screen

DestinationEnter the IP address or host name of the SNMP network management system that is a destination for event trap messages. (If you have configured a DNS server, you can enter a host name; otherwise enter an IP address.)

SNMP VersionClick the SNMP Version drop-down menu button and choose the SNMP protocol version to use when formatting traps to this destination. Choices are SNMPv1 (version 1; the default) and SNMPv2 (version 2).

CommunityEnter the community string to use in identifying traps from the VPN Concentrator to this destination. The community string is like a password: it validates messages between the VPN Concentrator and this NMS destination. If you leave this field blank, the default community string is public.

PortEnter the UDP port number by which you access the destination SNMP server. Use a decimal number from 0 to 65535. The default value is 162, which is the well-known port number for SNMP traps.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | Trap Destinations | Add or Modify

Add or Apply / CancelTo add this system to the list of SNMP trap destinations, click Add. Or to apply your changes to this trap destination, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Trap Destinations screen. Any new destination system appears in the Trap Destinations list.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | Events | Trap Destinations screen, and the Trap Destinations list is unchanged.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | Syslog Servers

Configuration | System | Events | Syslog ServersThis section of the Manager lets you configure syslog servers as recipients of event messages. Syslog is a daemon, or background process, that records events. The VPN Concentrator can send event messages in two syslog formats to configured syslog systems. If you configure any event handling—default or special—with values in Severity to Syslog fields, you must configure syslog servers in this section.

To configure default event handling and syslog formats, click the highlighted link that says “Click here to configure general event parameters.” To configure special event handling, see the Configuration | System | Events | Classes screens.

Figure 9-8 Configuration | System | Events | Syslog Servers Screen

Syslog ServersThe Syslog Servers list shows the syslog servers that have been configured as recipients of event messages. You can configure a maximum of five syslog servers. If no syslog servers have been configured, the list shows --Empty--.

Add / Modify / DeleteTo configure a new syslog server, click Add. See Configuration | System | Events | Syslog Servers | Add.

To modify a syslog server that has been configured, select the server from the list and click Modify. See Configuration | System | Events | Syslog Servers | Modify.

To remove a syslog server that has been configured, select the server from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:



78-15731-01

Chapter 9 EventsConfiguration | System | Events | Syslog Servers | Add or Modify

Configuration | System | Events | Syslog Servers | Add or ModifyThese screens let you:

• Add a syslog server as a recipient of event messages. You can configure a maximum of five syslog servers.

• Modify a configured syslog server that is a recipient of event messages.

Figure 9-9 Configuration | System | Events | Syslog Servers | Add or Modify Screen

Syslog ServerEnter the IP address or host name of the syslog server to receive event messages. (If you have configured a DNS server, you can enter a host name; otherwise, enter an IP address.)

PortEnter the UDP port number by which you access the syslog server. Use a decimal number from 0 to 65535. The default value is 514, which is the well-known port number.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | Syslog Servers | Add or Modify

FacilityClick the Facility drop-down menu button and choose the syslog facility tag for events sent to this server. The facility tag lets the syslog server sort messages into different files or destinations. The choices are:

• User = Random user-process messages.

• Mail = Mail system.

• Daemon = System daemons.

• Auth = Security or authorization messages.

• Syslog = Internal syslogd-generated messages.

• LPR = Line printer subsystem.

• News = Network news subsystem.

• UUCP = UUCP (UNIX-to-UNIX Copy Program) subsystem.

• Reserved (9) through Reserved (14) = Outside the Local range, with no name or assignment yet, but usable.

• CRON = Clock daemon.

• Local 0 through Local 7 (default) = User defined.

Add or Apply / CancelTo add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | Events | Syslog Servers screen, and the Syslog Servers list is unchanged.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | SMTP Servers

Configuration | System | Events | SMTP ServersThis section of the Manager lets you configure SMTP servers that you use to e-mail event messages to e-mail recipients. If you configure any event handling—default or special—with values in Severity to E-mail fields, you must identify at least one SMTP server to handle the outgoing e-mail, and you must name at least one e-mail recipient to receive the event messages. You can configure two SMTP servers: one primary and one backup in case the primary is unavailable.

To configure e-mail recipients, see the Configuration | System | Events | E-mail Recipients screen.


Figure 9-10 Configuration | System | Events | SMTP Servers Screen

SMTP ServersThe SMTP Servers list shows the configured SMTP servers in the order in which the system accesses them. You can configure two prioritized SMTP servers so that you have a backup server in case the primary server is offline, congested, etc. If no SMTP servers have been configured, the list shows --Empty--.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | SMTP Servers

Add / Modify / Delete / MoveTo configure a new SMTP server, click Add. See Configuration | System | Events | SMTP Servers | Add.

To modify a configured SMTP server, select the server from the list and click Modify. See Configuration | System | Events | SMTP Servers | Modify.

To remove a configured SMTP server, select the server from the list and click Delete.


The Manager refreshes the screen and shows the remaining entries in the SMTP Servers list.

To change the order in which the system accesses configured SMTP servers, select the server from the list and click Move [Up Arrow] or Move [Down Arrow]. The Manager refreshes the screen and shows the reordered SMTP Servers list.

Reminder:



78-15731-01

Chapter 9 EventsConfiguration | System | Events | SMTP Servers | Add or Modify

Configuration | System | Events | SMTP Servers | Add or ModifyThese screens let you:

• Add an SMTP server to the list of configured SMTP servers. You can configure two SMTP servers: a primary and a backup.

• Modify the IP address or host name of a configured SMTP server.

Figure 9-11 Configuration | System | Events | SMTP Servers | Add or Modify Screen

SMTP ServerEnter the IP address or host name of the SMTP server. (If you have configured a DNS server, you can enter a host name; otherwise, enter an IP address.)

Add or Apply / CancelTo add this server to the list of SMTP servers, click Add. Or to apply your changes to this SMTP server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | SMTP Servers screen. Any new server appears in the SMTP Servers list.

Reminder:


To discard your entry, click Cancel. The Manager returns to the Configuration | System | Events | SMTP Servers screen, and the SMTP Servers list is unchanged.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | E-mail Recipients

Configuration | System | Events | E-mail RecipientsThis section of the Manager lets you configure e-mail recipients of event messages. You can configure a maximum of five e-mail recipients, and you can customize the event message severity levels for each recipient.

If you configure any event handling (either default or special) with values in Severity to E-mail fields, you must name at least one e-mail recipient to receive the event messages, and you must identify at least one SMTP server to handle the outgoing e-mail. You should also configure the E-mail Source Address on the Configuration | System | Events | General screen.

To configure SMTP servers, see the Configuration | System | Events | SMTP Servers screen, or click the highlighted link that says “configure an SMTP server.”


Figure 9-12 Configuration | System | Events | E-mail Recipients Screen

E-mail RecipientsThe E-mail Recipients list shows configured event message e-mail recipients in the order they were configured. You can configure a maximum of five e-mail recipients. If no e-mail recipients have been configured, the list shows --Empty--.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | E-mail Recipients

Add / Modify / DeleteTo configure a new e-mail recipient, click Add. See Configuration | System | Events | E-mail Recipients | Add.

To modify an e-mail recipient who has been configured, select the recipient from the list and click Modify. See Configuration | System | Events | E-mail Recipients | Modify.

To remove an e-mail recipient who has been configured, select the recipient from the list and click Delete.


The Manager refreshes the screen and shows the remaining recipients in the E-mail Recipients list.

Reminder:



78-15731-01

Chapter 9 EventsConfiguration | System | Events | E-mail Recipients | Add or Modify

Configuration | System | Events | E-mail Recipients | Add or Modify


• Add and configure an event message e-mail recipient. You can configure a maximum of five e-mail recipients.

• Modify the parameters for a configured e-mail recipient.

Figure 9-13 Configuration | System | Events | E-mail Recipients | Add or Modify Screen

E-mail AddressEnter the recipient’s complete e-mail address, for example: [email protected].

Max SeverityClick the Max Severity drop-down menu button and choose the range of event severity levels to send to this recipient via e-mail. The choices are: None, 1, 1-2, 1-3. The default value is 1-3: configured events of severity level 1 through severity level 3 are sent to this recipient.

The event levels e-mailed to this recipient are the lesser of the Severity to E-mail setting for a customized event class, or this Max Severity setting. If an event class has not been customized, the events e-mailed are the lesser of this setting or the default Severity to E-mail setting. For example, if you configure IPSEC events with severity levels 1-3 to e-mail, all other events with no severity to e-mail, and [email protected] to receive e-mail events of severity levels 1-2, cisco will receive only IPSEC events of severity levels 1-2.

Add or Apply / CancelTo add this recipient to the list of e-mail recipients, click Add. Or to apply your changes to this e-mail recipient, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | E-mail Recipients screen. Any new recipient appears at the bottom of the E-mail Recipients list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your entry, click Cancel. The Manager returns to the Configuration | System | Events | E-mail Recipients screen, and the E-mail Recipients list is unchanged.


78-15731-01

Chapter 9 EventsConfiguration | System | Events | E-mail Recipients | Add or Modify


78-15731-01

C


H A P T E R 10
General
General configuration parameters include VPN 3000 Concentrator environment items: system identification, time, and date.

Configuration | System | GeneralThis section of the Manager lets you configure general VPN Concentrator parameters.

• Identification: System name, contact person, system location.

• Time and Date: System time and date.

• Sessions: The maximum number of sessions.

• Authentication: General authentication parameters.

Figure 10-1 Configuration | System | General Screen


Chapter 10 GeneralConfiguration | System | General | Identification

Configuration | System | General | IdentificationThis screen lets you configure system identification parameters that are stored in the standard MIB-II system object. Network management systems using SNMP can retrieve this object and identify the system. Configuring this information is optional.

Figure 10-2 Configuration | System | General | Identification Screen

System NameEnter a system name that uniquely identifies this VPN Concentrator on your network, for example: VPN01. The maximum name length is 255 characters.

ContactEnter the name of the contact person who is responsible for this VPN Concentrator. The maximum name length is 255 characters.

LocationEnter the location of this VPN Concentrator. The maximum length is 255 characters.

Apply / CancelTo apply your system identification settings and include them in the active configuration, click Apply. The Manager returns to the Configuration | System | General screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | System | General screen.


78-15731-01

Chapter 10 GeneralConfiguration | System | General | Time and Date

Configuration | System | General | Time and DateThis screen lets you set the time and date on the VPN Concentrator. Setting the correct time is very important so that logging and accounting information is accurate.

Figure 10-3 Configuration | System | General | Time and Date Screen

Current TimeThe screen shows the current date and time on the VPN Concentrator at the time the screen displays. You can refresh this by redisplaying the screen.

New TimeThe values in the New Time fields are the time and date on the browser PC at the time the screen displays. Any entries you make apply to the VPN Concentrator, however.

In the appropriate fields, make any changes. The fields are, in order: Hour : Minute : Second Month / Day / Year Time Zone. Click the drop-down menu buttons to select Month and Time Zone.

The time is military time; that is, it is based on a twenty-four hour clock. (For example, 1:00 PM is 13:00:00.)

The time zone selections are offset relative to GMT (Greenwich Mean Time), which is the basis for Internet time synchronization.

Enter the Year as a four-digit number.


78-15731-01

Chapter 10 GeneralConfiguration | System | General | Time and Date

Enable DST SupportTo enable DST support, check the Enable DST Support check box. During DST (Daylight-Saving Time), clocks are set one hour ahead of standard time. Enabling DST support means that the VPN Concentrator automatically adjusts the time zone for DST or standard time. If your system is in a time zone that uses DST, you must enable DST support.

Apply / CancelTo apply your time and date settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | General screen.

Reminder:




78-15731-01

Chapter 10 GeneralConfiguration | System | General | Sessions

Configuration | System | General | SessionsThe VPN Concentrator supports IPSec, PPTP, L2TP/IPSec, and WebVPN sessions, either singly or in combination. This screen lets you limit the number of simultaneous active sessions to fewer sessions than the VPN Concentrator could potentially support. For session limits, the VPN Concentrator treats IPSec, PPTP, and L2TP/IPSec sessions together; the Maximum Active Sessions parameter applies to the them, and the Maximum Active WebVPN Sessions parameter applies to WebVPN sessions.

While it might seem intuitive that lowering the maximum number of one type of session would let the VPN Concentrator support more of the other, that is not how the VPN Concentrator works. Artificially lowering the number of active sessions of either type in fact lowers the capacity of the VPN Concentrator to support both types of sessions. The sections that follow provide examples.

Maximum Active Sessions: WebVPN or IPSec, PPTP and L2TP/IPSecWebVPN sessions require significantly more VPN Concentrator resources than the other types; therefore, Table 10-1 lists them separately. It is important to recognize this difference when you configure a mixture of WebVPN and other types of secure sessions.

The VPN Concentrator hardware determines the maximum number of sessions supported, which therefore depends on the model. Table 10-1 lists the maximum number of concurrently active WebVPN sessions or IPSec, PPTP, and L2TP/IPSec sessions that each model of the VPN Concentrator permits.

Table 10-2 provides information on WebVPN session limits and throughput by platform. These numbers are based on standard capacity and performance tests that measure the VPN 3000 Concentrator’s retrieval of real web pages using WebVPN. Cisco used the following criteria to conduct these performance tests:

• A WebVPN session represents a single, logged-on TLS V1 WebVPN user encrypted with 3DES.

• Each user retrieves a web page at up to every 60 seconds.

• Users log in at the rate of one/second and pass data for the duration of the test.

• The benchmarked, average retrieval time for the web page is less than or equal to 5 seconds.

• The contents of the web page tested include: plain text, .gif files, .jpg files, URLs, and Javascript files.


78-15731-01


Table 10-1 Maximum WebVPN or IPSec, PPTP, and L2TP Sessions

Figure 10-4 Configuration | System | General | Sessions Screen

Maximum Active SessionsThe maximum number of concurrently active IPSec, PPTP, and LT2P/IPSec active sessions permitted on this VPN Concentrator. The value that displays in this field by default is the maximum number, and Cisco recommends that you accept this value. This parameter lets you limit that number to fewer sessions.

VPN Concentrator Model

MB Memory

WebVPN Sessions with No Other Sessions.(Default = Maximum)

Maximum IPSec, PPTP and L2TP Sessions with No WebVPN Sessions(Default = Maximum)

Throughput (Mbs)1

1. These throughput numbers reflect performance measured with web-pages that force the concentrator to do a lot of processing. Throughput rate with binary data files or files that require less inspection and processing is approximately twice the throughput listed in this column,

3005 32 10 100 1

3005 64 50 200 1

3015 128 75 100 1.5

3020 with SEP-E 256 200 750 9

3020 with SEP-E 512 200 9

3030 with SEP-E 128 100 1,500 9

3030 with SEP-E 256 200 9

3030 with SEP-E 512 500 9

3060 with SEP-E 256 200 5,000 10.3

3060 with SEP-E 512 500 10.3

3080 with SEP-E 256 200 10,000 10.3

3080 with SEP-E 512 500 10.3


78-15731-01


Be aware that when the number of sessions reaches the value set, the VPN Concentrator permits no further sessions of any type. For example, if you set the maximum number of IPSec sessions on a VPN 3005 at 50, with 50 active IPSec sessions, the VPN Concentrator cannot accept even one WebVPN session, or any additional IPSec, PPTP or L2TP/IPSec sessions.

Note If you reduce the number of SEPs on the VPN Concentrator while the Concentrator is powered off, and if the new maximum allowed for the model is less than the configured value, when you next turn the VPN Concentrator on, the Maximum Active Sessions parameter is automatically reset to the new maximum for the model.

If you increase the number of SEPS on the VPN Concentrator, you must change the Maximum Active Sessions parameter manually.

Maximum Active WebVPN SessionsThe maximum number of concurrently active WebVPN sessions permitted on this VPN Concentrator. The value that displays in this field by default is the maximum number, and Cisco recommends that you accept this value. This parameter lets you limit that number to fewer sessions.

Be aware that when the number of sessions reaches the value set, the VPN Concentrator permits no further sessions of any type. For example, if you set the maximum number of WebVPN sessions on a VPN 3060 to 95, with 95 active WebVPN sessions, the VPN Concentrator cannot accept even one IPSec session, or any additional WebVPN sessions.

Ratios of WebVPN to IPSec, PPTP and L2TP/IPSec SessionsThe values for maximum active sessions in Table 10-1 imply a ratio of WebVPN to IPSec, PPTP and L2TP/IPSec sessions for each platform. You can use these ratios to plan and administer your network for VPN use.

Be aware that if you change the values for either of the Maximum Sessions parameters, you change the ratio for WebVPN to other sessions on the VPN Concentrator.

Table 10-2 provides examples of how the Maximum Session and Maximum WebVPN Sessions parameters interact for a VPN 3030 Concentrator with maximum memory and SEP-Es.


78-15731-01


Table 10-2 Maximum Active Sessions Examples

When the number of active sessions reaches the configured value, the VPN Concentrator permits no further sessions of any type.

Apply/CancelTo apply your session settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | General screen.

Reminder:



Platform

Max Active Sessions (IPSec, PPTP, L2TP) setting

Max Active WebVPN sessions setting

Ratio WebVPN: Other sessions

ExamplesWebVPN: Other sessions

ExamplesOther sessions: WebVPN sessions

VPN 3030 with SEP-E and 512 MBmemory

1,500 (default) 500 (default) 1:3 50 active WebVPN sessions permits up to 1350 IPSec sessions

1200 active IPSec sessions permits up to 100 WebVPN sessions

800 100 1:8 50 active WebVPN sessions permits up to 400 IPSec sessions


1,500 50 1:30 10 active WebVPN sessions permits up to 1200 IPSec sessions


1,200 50 1:24 48 active WebVPN sessions permits up to 48 IPSec sessions

800 IPSec sessions permits up to 16 WebVPN sessions

1,200 50 1:24 50 active WebVPN sessions permits zero IPSec sessions

1200 active IPSec sessions permits zero WebVPN sessions


78-15731-01

Chapter 10 GeneralConfiguration | System | General | Global Authentication Parameters

Configuration | System | General | Global Authentication Parameters

By default, the VPN Concentrator authenticates both software clients and VPN 3002 hardware clients on the basis of their username. For a client to connect, you enter a string of characters (in a username field) as identification.

The group lookup feature allows clients to be authenticated on the basis of a group in addition to their username. If this feature is enabled, the VPN Concentrator checks the identification string to see if it contains the configured group delimiter. If the string does contain the configured group delimiter, the VPN Concentrator interprets the characters to the right of the delimiter as the group name. It then authenticates the user on the basis of the tunnel group and applies the parameters of the specified group to the user. For example, if the user enters the string “JaneDoe#Cisco”, the VPN Concentrator interprets JaneDoe as the user, # as the delimiter, and Cisco as the group. It authenticates the user “JaneDoe” on the basis of the tunnel group and applies the Cisco group parameters.

If the string does not contain a group delimiter, the VPN Concentrator considers the entire string to be the username. It validates users on the basis of the username alone, and applies the parameters of the tunnel group to the user.

Figure 10-5 Configuration | System | General | Global Authentication Parameters Screen

Enable Group LookupCheck the Enable Group Lookup check box to enable user authentication on the basis of both username and group name. Uncheck the box to disable group lookup.

Group DelimiterIf you checked the Enable Group Lookup box, click the Group Delimiter drop-down menu and choose one of the following characters to separate the username from the group name in the authentication string: @, #, or !. The default delimiter is: @.


78-15731-01


Note If you are using the Group Lookup feature and Strip Realm, do not use the @ character for the group delimiter. See the section below, “Strip Realm and Group Lookup,” for a full explanation of how the VPN Concentrator interprets delimiters for realms and groups.

Strip GroupCheck Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box.

You can configure authentication on the basis of username alone by unchecking the Enable Group Lookup box. Checking both the Enable Group Lookup box and Strip Group lets you maintain a database of users with group names appended on your AAA server, and at the same time authenticate users on the basis of their username alone.

Groups and RealmsYou can associate users with groups and realms in the following combinations.

Groups

When you append a group name to a username using a delimiter, and enable Group Lookup, the VPN Concentrator interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Realms

A realm is an administrative domain. You can append the realm name to the username for AAA --authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, [email protected].

Kerberos Realms

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.

Note You can append both the realm and the group to a username, in which case the VPN Concentrator uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, [email protected]#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the Concentrator cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.


78-15731-01


Strip Realm and Group LookupGroup Lookup is configurable globally in the present screen, Configuration | System | General | Global Authentication Parameters. Strip Realm is configurable on a group basis in the General tab of the Configuration | User Management | Base Group/Groups screens. If you enable Strip Realm, the VPN Concentrator removes the realm from the username before sending a request to an AAA server.

You can use Strip Realm and Group Lookup simultaneously to have the VPN Concentrator ignore the realm and use the values of the group for AAA.

Usernames with Groups and Realms SummaryTable 10-3 shows the credentials the VPN Concentrator uses for authentication according to how you configure a username, strip realm, and group lookup.

Table 10-3 Usernames with Groups and Realms

UsernameStrip Realm Setting (@)

Enable Group Lookup Setting (@, #, or !)

Strip Group Setting Username for Authentication

JaneDoe No effect No effect NA JaneDoe

[email protected] Disabled Disabled NA [email protected]

[email protected] Disabled Enabled using @ Checked JaneDoe

group = cisco.com

[email protected] Disabled Enabled using @ Unchecked [email protected]

group = cisco.com

[email protected] Enabled Disabled NA JaneDoe

[email protected]#VPNGroup Disabled Disabled NA [email protected]#VPNGroup

[email protected]#VPNGroup Enabled Disabled NA JaneDoe

[email protected]#VPNGroup Disabled Enabled using# or !

Checked [email protected]

group = VPNGroup

[email protected]#VPNGroup Disabled Enabled using # or ! Unchecked [email protected]#VPNGroup

group = VPNGroup

[email protected]#VPNGroup

This case is practical only if you have a group that contains the # character.

Enabled Enabled using # or ! Checked JaneDoe

group = VPNGroup

[email protected]#VPNGroup Enabled Enabled using # o r! Unchecked JaneDoe#VPNGroup

group = VPNGroup

JaneDoe@Group or Realm Enabled Enabled using @ NA Unsupported

[email protected]@VPNGroup Enabled Enabled using @ NA Unsupported


78-15731-01


Note In addition to the realm and the group, the username may include a Windows domain. The domain is prepended to the username, and the valid delimiter is the \ character. The format is domain\username[@realm][#group], for example domain\JaneDoe. You would include a domain in corporate environments that have multiple Microsoft domains, and that require the domain for authentication.

Associating Users with Different Groups for AuthenticationWhen you configure a VPN Client or a VPN 3002, you assign it to a group on the VPN Concentrator to which it connects. This is the tunnel group to which the client belongs. The attributes of the tunnel group determine how the client authenticates.

For authentication, you can associate users behind a VPN Concentrator or VPN 3002 with a group other than the tunnel group. You accomplish this by embedding a different group name within the username. To embed this second group name, you configure and use a delimiter, (@, #, or !) that associates the second group with the user. The format to use is username<delimiter>groupname, for example, UserA#bluegroup.

When you embed a group name within a username:

• An individual user authenticates according to the priority order of the authentication servers you configure for the group embedded within its username.

• If you use external authentication servers, you have the flexibility of storing usernames and passwords for the VPN Concentrator or VPN 3002 on one server, and those for individual users behind the VPN Concentrator or VPN 3002 on another server or servers.

• Users behind the same VPN Concentrator or VPN 3002 can authenticate to different external servers. You configure this by embedding different groups for various users. For example, UserA#bluegroup might authenticate to a RADIUS server, while UserD#greengroup authenticates to an SDI server, or to a different RADIUS server.

Note The VPN 3002 always gets settings for interactive hardware client authentication from the tunnel group, not the embedded group.

Table 10-4 summarizes how UserA, UserB, and UserC connect to the central site through a VPN Concentrator or VPN 3002.

Table 10-4 Example: How Authentication Servers Work Using Embedded Groups

UsernameTunnel Group

Embedded Group

Authentication Server for the VPN Concentrator or VPN 3002

Authentication Server for the Individual User

UserA bluegroup None An authentication server configured for bluegroup.

User A uses an authentication server configured for bluegroup.

UserB#redgroup bluegroup redgroup An authentication server configured for bluegroup.

User B uses an authentication server configured for redgroup.

UserC#greengroup bluegroup greengroup An authentication server configured for bluegroup

The VPN 3002 authenticates using an authentication server configured for greengroup.


78-15731-01

C


H A P T E R 11
Client Update
Updating VPN Client software in an environment with a large number of devices in different locations can be a formidable task. For this reason, the VPN 3000 Concentrator includes a client update feature that simplifies the software update process. This feature works differently for VPN software clients and VPN 3002 Hardware Clients.

VPN Software ClientsThe client update feature lets administrators at a central location automatically notify VPN Client users when it is time to update the VPN Client software.

When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN Client users about acceptable versions of executable system software. The message includes a location that contains the new version of software for the VPN Client to download. The administrator for that VPN Client can then retrieve the new software version, and update the VPN Client software.

You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time.

VPN 3002 Hardware ClientsThe client update feature lets administrators at a central location automatically update software/firmware for VPN 3002 Hardware Clients deployed in diverse locations.

When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN 3002 hardware clients about acceptable versions of executable system software and their locations. If the VPN 3002 is not running an acceptable version, its software is automatically updated via TFTP.

To use client update, you need to have a TFTP server that can handle the volume and frequency of updates that your network requires. We recommend that you locate this server inside your network. The client update facility sends notify messages to VPN 3002s in batches of 10 at 5-minutes intervals.

You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time.


Chapter 11 Client UpdateConfiguration | System | Client Update

The VPN 3002 logs event messages at the start of the update. When the update completes, the Hardware Client reboots automatically.

Note The VPN 3002 stores image files in two locations: the active location, which stores the image currently running on the system; and the backup location. Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot. The client update process includes a test to validate the updated image. In the unlikely event that a client update is unsuccessful, the client does not reboot, and the invalid image does not become active. The update facility retries up to twenty times at 3-minute intervals. If an update is unsuccessful, the log files contain information indicating TFTP failures.

Configuration | System | Client UpdateThis section of the VPN 3000 Concentrator Manager lets you configure the client update feature.

• Enable: Enables or disables client update.

• Entries: Configures updates by client type, acceptable firmware and software versions, and their locations.

Figure 11-1 Configuration | System | Client Update Screen


78-15731-01

Chapter 11 Client UpdateConfiguration | System | Client Update | Enable

Configuration | System | Client Update | EnableThis screen lets you disable or enable client update.

Figure 11-2 Configuration | System | Client Update | Enable Screen

EnableUncheck or check the Enable check box to disable or enable client update (by default, client update is enabled).

Apply or CancelTo apply your change to client update, click Apply. This action includes your entry in the active configuration. The Manager returns to the Configuration | System | Client Update screen.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System |Client Update screen, and the settings are unchanged.


78-15731-01

Chapter 11 Client UpdateConfiguration | System | Client Update | Entries

Configuration | System | Client Update | EntriesThis screen lets you add, modify, or delete client update entries.

Figure 11-3 Configuration | System | Client Update | Entries Screen

Update EntryThe update entry list shows the configured client update entries. Each entry shows the platform and acceptable software/firmware versions. If no updates have been configured, the list shows --Empty--.

ActionsTo configure and add a new client update entry, click Add. The Manager opens the Configuration | System | Client Update | Entries | Add screen.

To modify parameters for a client update entry that has been configured, select the entry from the list and click Modify. The Manager opens the Configuration | System | Client Update | Modify screen.

To remove a client update entry that has been configured, select the entry from the list and click Delete.



Reminder:



78-15731-01

Chapter 11 Client UpdateConfiguration | System | Client Update | Entries | Add or Modify

Configuration | System | Client Update | Entries | Add or ModifyThese screens let you configure and change client update parameters.

Figure 11-4 Configuration | System | Client Update | Entries | Add or Modify Screens

Client TypeEnter the client type you want to update.

• For the VPN Client: Enter the windows operating systems to notify. The entry must be exact, including case and spacing:

– Windows includes all Windows-based platforms.

– Win9X includes Windows 95, Windows 98, and Windows ME platforms.

– WinNT includes Windows NT 4.0, Windows 2000, and Windows XP platforms.

Note The VPN Concentrator sends a separate notification message for each entry in a Client Update list. Therefore your client update entries must not overlap. For example, the value Windows includes all Windows platforms, and the value WinNT includes Windows NT 4.0, Windows 2000 and Windows XP platforms. So you would not include both the values Windows and WinNT.

• For the VPN 3002 Hardware Client: Your entry must be vpn3002, including case and spacing.


78-15731-01


URLEnter the URL for the software/firmware image. This URL must point to a file appropriate for this client.

• For the VPN Client: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-3.5.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for http or 443 for https.

• For the VPN 3002 Hardware Client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.10.99.70/vpn3002-3.5.Rel-k9.bin

The directory is optional.

RevisionsEnter a comma-separated list of software or firmware images appropriate for this client. The following caveats apply:

• The revision list must include the software version for this update.

• Your entries must match exactly those on the URL for the VPN Client, or the TFTP server for the VPN 3002.

• The URL above must point to one of the images you enter.

If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order.

• A VPN Client user must download an appropriate software version from the listed URL.

• The VPN 3002 Hardware Client software is automatically updated via TFTP.


78-15731-01


Add or Apply / CancelTo add this client update entry to the list of configured update entries, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Client Update screen. Any new entry appears at the bottom of the Update Entries list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System | Client Update screen, and the Update Entries list is unchanged.

Tip For more information about VPN Client updates, specifically the VPN Client Launch button, refer to the VPN Client Administrator Guide.


78-15731-01



78-15731-01

C


H A P T E R 12
Load Balancing Cisco VPN Clients
If you have a remote-client configuration in which you are using two or more VPN Concentrators connected on the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.

Note Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), or the Cisco VPN 3002 Hardware Client (Release 3.5 or later) or the Cisco PIX 501/506E when acting as an Easy VPN client. Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including LAN-to-LAN connections, can connect to a VPN Concentrator on which load balancing is enabled, but they cannot participate in load balancing.

Note You cannot use load balancing with Virtual Router Redundancy Protocol (VRRP). In a VRRP configuration, the backup device remains idle unless the active VPN Concentrator fails. In a load balancing configuration, there are no idle devices.

To implement load balancing, you group together logically two or more devices on the same private LAN-to-LAN network, private subnet, and public subnet into a virtual cluster.

All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster master, directs incoming calls to the other devices, called secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly. The role of virtual cluster master is not tied to a physical device; it can shift among devices. For example, if the current virtual cluster master fails, one of the secondary devices in the cluster takes over that role and immediately becomes the new virtual cluster master.

The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device. It belongs to the current virtual cluster master; hence, it is virtual. A VPN Client attempting to establish a connection connects first to this virtual cluster IP address. The virtual cluster master then sends back to the client the public IP address of the least-loaded available host in the cluster. In a second transaction (transparent to the user), the client connects directly to that host. In this way, the virtual cluster master directs traffic evenly and efficiently across resources.

Note All clients other than the Cisco VPN Client or the Cisco 3002 Hardware Client connect directly to the VPN Concentrator as usual; they do not use the virtual cluster IP address.


Chapter 12 Load Balancing Cisco VPN ClientsPreliminary Steps

If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster. Should the virtual cluster master itself fail, a secondary device in the cluster immediately and automatically takes over as the new virtual session master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available.

Preliminary StepsBefore you can configure load balancing on a VPN Concentrator, you must do the following:

• Configure the private and public interfaces.

• Configure the filters for the private and public interfaces to allow the Virtual Cluster Agent (VCA) load balancing protocol.

Configure InterfacesIn the Configuration | Interfaces window, check to see that the public and private interfaces have been defined and have status UP. If either interface is undefined, you must define it now. For more information on defining interfaces, see the section on Configuration | Interfaces.

An SSL certificate is associated with the load balancing (Public) Interface, when load balancing is enabled. The load balancing SSL certificate is automatically generated when load balancing is enabled, and is automatically deleted if load balancing is later disabled.


78-15731-01

Chapter 12 Load Balancing Cisco VPN ClientsPreliminary Steps

Configure FiltersComplete the following steps to configure the filters for the private and public interfaces to allow the VCA load balancing protocol:

Step 1 In the Configuration | Interfaces window, select Ethernet1 (Private). The Configuration | Interfaces | Ethernet1 window appears.

Step 2 Select the General tab.

Step 3 Click the drop-down Filter menu button and choose Private (Default).

Step 4 Click Apply.

Step 5 In the Configuration | Interface window, select Ethernet2 (Public). The Configuration | Interfaces | Ethernet2 window appears.

Step 6 Select the General tab.

Step 7 Click the drop-down Filter menu button and choose Public (Default).

Step 8 Click Apply.

Step 9 Open the Configuration | Policy Management | Traffic Management | Filters window.

Step 10 Select Private (Default) from the Filter list.

Step 11 Click Assign Rules to Filter. The Configuration | Policy Management | Traffic Management | Assign Rules to Filter window appears.

Step 12 Make sure that VCA In (forward/in) and VCA Out (forward/out) are in the Current Rules in Filter list. If they are not in this list, add them.

Step 13 Click Done.

Step 14 In the Configuration | Policy Management | Traffic Management | Filters window, select Public (Default) from the Filter list.

Step 15 Click Assign Rules to Filter. The Configuration | Policy Management | Traffic Management | Assign Rules to Filter window appears.

Step 16 Make sure that VCA In (forward/in) and VCA Out (forward/out) are in the Current Rules in Filter list. If they are not in this list, add them.

Step 17 Click Done.

Step 18 Click the Save Needed icon to save your edits.


78-15731-01

Chapter 12 Load Balancing Cisco VPN ClientsConfiguration | System | Load Balancing

Configuration | System | Load BalancingThis screen allows you to enable load balancing on the VPN Concentrator.

Enabling load balancing involves two steps:

Step 1 Configure the cluster: establish a common virtual cluster IP address, UDP port (if necessary), and IPSec shared secret for the cluster. These values are identical for every device in the cluster.

Step 2 Configure the device: enable load balancing on the device and define device-specific properties. These values vary from device to device.

Reminder:

Before you can enable load balancing on your VPN Concentrator, you must complete the steps outlined in the Preliminary Steps section.

Figure 12-1 Configuration | System | Load Balancing Screen


78-15731-01


Cluster ConfigurationEstablish a virtual cluster by defining a common VPN virtual cluster IP address, UDP port, and shared secret. These values must be identical on every device in the virtual cluster.

Note All devices in the virtual cluster must be on the same public and private IP subnet.

VPN Virtual Cluster IP Address

Enter the single IP address that represents the entire virtual cluster. Choose an IP address that is within the public subnet address range shared by all the VPN Concentrators in the virtual cluster.

VPN Virtual Cluster UDP Port

If another application is using this port, enter the UDP destination port number you want to use for load balancing.

Encryption

The VPN Concentrators in the virtual cluster communicate via LAN-to-LAN tunnels using IPSec. To ensure that all load-balancing information communicated between the VPN Concentrators is encrypted, check the Encryption check box.

IPSec Shared Secret

This option is available only if you have checked the preceding Encryption option. Enter the IPSec shared secret for the virtual cluster. The shared secret is a common password that authenticates members of the virtual cluster. IPSec uses the shared secret as a pre-shared key to establish secure tunnels between virtual cluster peers.

Verify Shared Secret

Re-enter the IPSec shared secret.


78-15731-01


Device ConfigurationConfigure the following fields to establish this VPN Concentrator as a member of the virtual cluster.

Load Balancing Enable

Check the Load Balancing Enable check box to include this VPN Concentrator in the virtual cluster.

Priority

Enter a priority for this VPN Concentrator within the virtual cluster. The priority is a number from 1 to 10 that indicates the likelihood of this device becoming the virtual cluster master either at start-up or when an existing master fails. The higher you set the priority (for example 10), the more likely this device becomes the virtual cluster master.

If your virtual cluster includes different models of VPN Concentrators, we recommend that you choose the device with the greatest load capacity to be the virtual cluster master. For this reason, priority defaults are hardware dependent. (See Table 12-1.)

If your virtual cluster is made up of identical devices (for example, if all the devices in the virtual cluster are VPN Concentrator 3060s), set the priority of every device to 10. Setting all identical devices to the highest priority shortens the length of time needed to select the virtual cluster master.

Which Device Becomes the Virtual Cluster Master?

If the devices in the virtual cluster are powered up at different times, the first device to be powered up assumes the role of virtual cluster master. Because every virtual cluster requires a master, each device in the virtual cluster checks at power-up to ensure that the cluster has a virtual master. If none exists, that device takes on the role. Devices powered up and added to the cluster later become secondary devices.

If all the devices in the virtual cluster are powered up simultaneously, the device with the highest priority setting becomes the virtual cluster master.

If two or more devices in the virtual cluster are powered up simultaneously and both have the highest priority setting, the one with the lowest IP address becomes the virtual cluster master.

Once the virtual cluster is established and operating, if the VPN Concentrator that holds the role of the virtual cluster master should fail, the secondary device with the highest priority setting takes over. Again in this case, if two or more devices in the virtual cluster both have the highest priority setting, the one with the lowest IP address becomes the virtual cluster master.

Table 12-1 Priority Defaults for VPN Concentrators

VPN Concentrator Model Priority Default

3005 1

3015 3

3020 4

3030 5

3060 7

3080 9


78-15731-01


NAT Assigned IP Address

If this VPN Concentrator is behind a firewall using NAT, NAT has assigned it a public IP address. Enter the NAT IP address.

If this device is not using NAT, enter 0.0.0.0. The default setting is 0.0.0.0.

Apply/CancelTo add this VPN concentrator to the specified virtual cluster and thus establish load balancing on this device, click Apply. The Manager returns to the Configuration | System screen.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | System screen.


78-15731-01



78-15731-01

C


H A P T E R 13
User Management
Groups and users are core concepts in managing the security of VPNs and in configuring the VPN Concentrator. Groups and users have attributes, configured via parameters, that determine their access to and use of the VPN. Users are members of groups, and groups are members of the base group. If you do not assign a user to a particular group, that user is by default a member of the base group. This section of the Manager lets you configure those parameters.

Groups simplify system management. To streamline the configuration task, the VPN Concentrator provides a base group that you configure first. The base-group parameters are those that are most likely to be common across all groups and users. As you configure a group, you can simply specify that it “inherit” parameters from the base group; and a user can also “inherit” parameters from a group. Thus you can quickly configure authentication for large numbers of users.

Of course, if you decide to grant identical rights to all VPN users, then you do not need to configure specific groups. But VPNs are seldom managed that way. For example, you might allow a Finance group to access one part of a private network, a Customer Support group to access another part, and an MIS group to access other parts. Further, you might allow specific users within MIS to access systems that other MIS users cannot access.

You can configure detailed parameters for groups and users on the VPN Concentrator internal authentication server. External RADIUS authentication servers also can return group and user parameters that match those on the VPN Concentrator; other authentication servers do not; they can, however, authenticate users.

The VPN 3000 software CD-ROM includes a link that customers with CCO logins can use to access an evaluation copy of the CiscoSecure ACS RADIUS authentication server. The VPN 3000 software CD-ROM also has current VPN 3000 VSA registry files that let customers load new supported attributes on their ACS server, and provides instructions for using them.

The VPN Concentrator internal authentication server is adequate for a small user base. The maximum number of groups and users (combined) that you can configure in the internal server depends on your VPN Concentrator model. (See Table 13-1.) For larger numbers of users, we recommend using the internal server to configure groups (and perhaps a few users) and using an external authentication server (RADIUS, NT Domain, SDI) to authenticate the users.


Chapter 13 User Management

The VPN Concentrator checks authentication parameters in this order:

• First: User parameters. If any parameters are missing, the system looks at:

• Second: Group parameters. If any parameters are missing, the system looks at:

• Third, for IPSec users only: IPSec tunnel-group parameters. These are the parameters of the IPSec group used to create the tunnel. The IPSec group is configured on the internal server or on an external RADIUS server. If any parameters are missing, the system looks at base group parameters. For VPN 3002 Hardware Client parameters, which enable or disable interactive hardware client authentication and individual user authentication, the IPSec tunnel group parameters take precedence over parameters set for users and groups.

• Last: Base-group parameters.

If you use a non-RADIUS server, only the IPSec tunnel-group or base-group parameters apply to users.

Some additional points to note:

• Base-group parameters are the default, or system-wide, parameters.

• A user can be a member of only one group.

• A user that is not a member of a group can nevertheless assume attributes from that group if you join the groupname to the username using a delimiter. See Configuration | System | General | Global Authentication Parameters for information on how to select and use a delimiter.

• Users who are not members of a specific group are, by default, members of the base group. Therefore, to ensure maximum security and control, you should assign all users to appropriate groups, and you should configure base-group parameters carefully.

• You can change group parameters, thereby changing parameters for all its members at the same time.

• You can delete a group, but when you do, all its members revert to the base group. Deleting a group, however, does not delete its members’ user profiles.

• You can override the base-group parameters when you configure groups and users, and give groups and users more or fewer rights with this exception:

For PPTP and L2TP authentication protocols, you can allow specific groups and users to use fewer protocols than the base group, but not more.

For all other parameters, groups’ and users’ rights can be greater than the base group. For example, you can give a specific user 24-hour access to the VPN, but give the base group access during business hours only.

Table 13-1 Maximum Number of Groups and Users for the Internal Authentication Server

VPN Concentrator Model Maximum Number of Groups and Users (Combined)

3005 100

3015 100

3020 250

3030 500

3060 1000

3080 1000


78-15731-01

Chapter 13 User ManagementConfiguration | User Management

• You apply filters to groups and users, and thus govern tunneled data traffic through the VPN Concentrator. You also apply filters to network interfaces, and thus govern all data traffic through the VPN Concentrator. See the Configuration | Policy Management | Traffic Management screens.

• We can supply a “dictionary” of Cisco-specific user and group parameters for external RADIUS servers.

We recommend that you define groups when planning your VPN, and that you configure groups and users on the VPN Concentrator in this order:

1. Base-group parameters.

2. Group parameters.

3. User parameters.

Before configuring groups and users, you should configure system policies, including network lists, access hours, filters, rules, and IPSec security associations (see Configuration | Policy Management).

In addition to configuring groups and users, you also need to configure authentication servers-- specifically the internal authentication server (see Configuration | System | Servers). You can specify authentication servers globally or per group.

Configuration | User ManagementThis section of the Manager lets you configure base-group, group, and individual user parameters. These parameters determine access and use of the VPN Concentrator.

Figure 13-1 Configuration | User Management Screen


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Base Group

Configuration | User Management | Base GroupThis Manager screen lets you configure the default, or base-group, parameters. Base-group parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can “inherit” parameters from this base group, and users can “inherit” parameters from their group or the base group. You can override these parameters as you configure groups and users. Users who are not members of a group are, by default, members of the base group.

On this screen, you configure the following kinds of parameters:

• General Parameters: Security, access, performance, and protocols.

• IPSec Parameters: IP Security tunneling protocol.

• Mode Config Parameters: Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers.

• Client FW Parameters: VPN Client personal firewall requirements.

• HW Client Parameters: Interactive hardware client and individual user authentication; network extension mode.

• PPTP/L2TP Parameters: PPTP and L2TP tunneling protocols.

• WebVPN Parameters: SSL VPN access.

Before configuring these parameters, you should configure:

• Access Hours (Configuration | Policy Management | Access Hours).

• Rules and filters (Configuration | Policy Management | Traffic Management | Rules and Filters).

• IPSec Security Associations (Configuration | Policy Management | Traffic Management | Security Associations).

• Network Lists for filtering and split tunneling (Configuration | Policy Management | Traffic Management | Network Lists).

• User Authentication servers, and specifically the internal authentication server (Configuration | System | Servers | Authentication).

Using the TabsThis screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel.


78-15731-01

Chapter 13 User ManagementGeneral Parameters Tab

General Parameters TabThis tab lets you configure general security, access, performance, and protocol parameters that apply to the base group.

Figure 13-2 Configuration | User Management | Base Group Screen, General Tab


78-15731-01


Access Hours

Click the Access Hours drop-down menu button and select the named hours when remote-access users can access the VPN Concentrator. Configure access hours on the Configuration | Policy Management | Access Hours screen. Default entries are:

• -No Restrictions- = No named access hours applied (the default), which means that there are no restrictions on access hours.

• Never = No access at any time.

• Business Hours = Access 9 a.m. to 5 p.m., Monday through Friday.

Additional named access hours that you have configured also appear on the list.

Simultaneous Logins

Enter the number of simultaneous logins permitted for a single internal user. The minimum is 0, which disables login and prevents user access; default is 3. While there is no maximum limit, allowing several could compromise security and affect performance.

Minimum Password Length

Enter the minimum number of characters for user passwords. The minimum is 1, the default is 8, and the maximum is 32. For security we strongly recommend 8 or higher.

Allow Alphabetic-Only Passwords

Check the Allow Alphabetic-Only Passwords check box to allow user passwords with alphabetic characters only (the default). This option applies only to users who are configured in and authenticated by the VPN Concentrator internal authentication server. To protect security, we strongly recommend that you not allow such passwords. Require passwords to be a mix of alphabetic characters, numbers, and symbols, such as 648e&9G#.

Idle Timeout

Enter the idle timeout period in minutes. If there is no communication activity on a connection in this period, the system terminates the connection. The minimum is 1 minute, the default is 30 minutes, and the maximum is 10080 minutes. To disable timeout and allow an unlimited idle period, enter 0 (zero).

Note This value applies to WebVPN users unless you set it to 0 (zero). In that case, the WebVPN idle timeout set in Configuration | Tunneling and Security | WebVPN | HTTPS Proxy Default Idle Timeout applies.

We recommend that you set a short idle-timeout value for WebVPN users. This is because when a browser is set to disable cookies, or prompts for cookies but denies them, users do not connect, but they still appear in the Administration | Administer Sessions | RAS database. If Simultaneous Logins (Configuration | User Management | Base Group/Groups) is set to one, the user can't log in again because the maximum number of connections already exists. If you set a low idle timeout for WebVPN users, these cookies are deleted quickly, letting a user reconnect.


78-15731-01


Note This parameter does not apply to individual users behind a VPN 3002 as they authenticate to the remote network. The Users Idle Timeout value set in the Hardware Client tab of the Configuration | User Management | Base Group/Groups | Add/Modify screen is the timeout value that applies.

Maximum Connect Time

Enter the maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, enter 0 (the default).

Filter

Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the VPN Concentrator, based on criteria such as source address, destination address, and protocol. Cisco supplies three default filters, which you can modify. To configure filters and rules, see the Configuration | Policy Management | Traffic Management screens.

Click the Filter drop-down menu button and select the base-group filter:

• --None-- = No filter applied, which means there are no restrictions on tunneled data traffic. This is the default selection.

• Private (Default) = Allow all packets except source-routed IP packets. (This is the default filter for the private Ethernet interface.)

• Public (Default) = Allow inbound and outbound tunneling protocols plus ICMP and VRRP. Allow fragmented IP packets. Drop everything else, including source-routed packets. (This is the default filter for the public Ethernet interface.)

• External (Default) = No rules applied to this filter. Drop all packets. (This is the default filter for the external Ethernet interface.)

Additional filters that you have configured also appear on the list.

Release 4.1 Affects Filters

The 4.0 VPN Concentrator enforces these filter rules as follows:

• Rule 1. Allow HTTPS In/Out for PC 1.

• Rule 2. Drop all other HTTPS traffic (the default action).

When you upgrade to Release 4.1 and enable the Allow Management HTTPS sessions or Allow WebVPN HTTPS sessions parameters on the public interface, enforcement changes. The VPN Concentrator now enforces filter rules in the following order:

• Rule 1. Allow HTTPS in/out for PC 1.

• Rule 2. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.


Rule 2 prevents Rule 3 from ever being enforced. Any PC on the public network can HTTPS in or out of the VPN Concentrator.

With Release 4.1 you must explicitly define rules to disallow HTTPS traffic from specific PCs. In the following example, you must define Rule 2:


78-15731-01



• Rule 2. Disallow every other PC (0.0.0.0/255.255.255.255).



Primary DNS

Enter the IP address, in dotted decimal notation, of the primary DNS server for base-group users. The system sends this address to the client as the first DNS server to use for resolving host names. If the base group does not use DNS, leave this field blank. See the Note on DNS and WINS entries section under Configuration | User Management | Groups | Add or Modify (Internal).

Note WebVPN users get their DNS information from the DNS servers you configure globally in the Configuration | System | Servers | DNS screen. They do not get DNS information from the Base Group or Group settings.

Secondary DNS

Enter the IP address, in dotted decimal notation, of the secondary DNS server for base-group users. The system sends this address to the client as the second DNS server to use for resolving host names.

Primary WINS

Enter the IP address, in dotted decimal notation, of the primary WINS server for base-group users. The system sends this address to the client as the first WINS server to use for resolving host names under Windows NT. If the base group does not use WINS, leave this field blank. (See the Note on DNS and WINS entries on page 13-71).

Secondary WINS

Enter the IP address, in dotted decimal notation, of the secondary WINS server for base-group users. The system sends this address to the client as the second WINS server to use for resolving host names under Windows NT.

SEP Card Assignment

The VPN Concentrator can contain up to four Scalable Encryption Processing (SEP) or SEP-E (Enhanced SEP) modules that handle encryption functions, which are compute-intensive. This parameter lets you configure the load on each SEP or SEP-E module.

Check the SEP Card Assignment check box to assign this user to a given SEP or SEP-E module. By default, all boxes are checked, and we recommend that you keep the default. If your system does not have a given SEP or SEP-E module, the parameter is ignored.


78-15731-01


Tunneling Protocols

Check the desired Tunneling Protocols check boxes to select the VPN tunneling protocols that user can use. Configure parameters on the IPSec or PPTP/L2TP tabs as appropriate. Clients can use only the selected protocols.

You cannot check both IPSec and L2TP over IPsec. The IPSec parameters differ for these two protocols, and you cannot configure the base group for both.

• PPTP = Point-to-Point Tunneling Protocol (checked by default). PPTP is a client-server protocol, and it is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0 and Windows 2000.

• L2TP = Layer 2 Tunneling Protocol (checked by default). L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding).

• IPSec = IP Security Protocol (checked by default). IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN Client is an IPSec client specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.

• L2TP over IPSec = L2TP using IPSec for security (unchecked by default). L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer for security. L2TP over IPSec is a client-server protocol that provides interoperability with the Windows 2000 VPN client. It is also compliant, but not officially supported, with other remote-access clients.

• WebVPN = VPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

Note If no protocol is selected, no user clients can access or use the VPN.

Strip Realm

Check the Strip Realm check box to remove the realm qualifier of the username during authentication. If you check this Strip Realm box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.

Note If you are using the Group Lookup feature and Strip Realm, do not use the @ character for the group delimiter. See the section, “Configuration | System | General | Global Authentication Parameters,” of this guide for a full explanation of how the VPN Concentrator interprets delimiters with respect to realms and groups.

DHCP Network Scope

To use this feature, the VPN Concentrator must be using a DHCP server for address assignment. To configure a DHCP server, see the Configuration | System | Servers | DHCP screen.


78-15731-01

Chapter 13 User ManagementIPSec Parameters Tab

Enter the IP sub-network that the DHCP server should assign to users in this group, for example: 200.0.0.0. The DHCP Network Scope indicates to the DHCP server the range of IP addresses from which to assign addresses to users in this group.

Enter 0.0.0.0 for the default; by default, the DHCP server assigns addresses to the IP sub-network of the VPN Concentrator’s private interface.

IPSec Parameters TabThis tab lets you configure IP Security Protocol parameters that apply to the base group. If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure this section.

Four parameters on this tab apply to WebVPN users in the base group that authenticate with digital certificates: Authentication, Authorization Type, Authorization Required, and DN Field.


78-15731-01


Figure 13-3 Configuration | User Management | Base Group Screen, IPSec Tab


78-15731-01


IPSec SA

Click the IPSec SA drop-down menu button and select the IPSec Security Association (SA) assigned to IPSec clients. During tunnel establishment, the client and server negotiate a Security Association that governs authentication, encryption, encapsulation, key management, etc. You configure IPSec Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.

To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections, the system ignores this selection and uses parameters from the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens.

The VPN Concentrator supplies these default selections:

• --None-- = No SA assigned. Select this option if you need to configure groups with several different SAs.

• ESP-DES-MD5 = This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel.

• ESP-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel. This is the default selection.

• ESP/IKE-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel.

• ESP-3DES-NONE = This SA uses Triple-DES 168-bit data encryption and no authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.

• ESP-L2TP-TRANSPORT = This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the L2TP over IPSec tunneling protocol.

• ESP-3DES-MD5-DH7 = This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel. It uses Diffie-Hellman Group 7 (ECC) to negotiate Perfect Forward Secrecy. This option is intended for use with the MovianVPN client, but you can use it with other clients that support D-H Group 7 (ECC).

• ESP-3DES-MD5-DH5 = This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the IKE tunnel. It uses Diffie-Hellman Group 5 to negotiate Perfect Forward Secrecy.

• ESP-AES128-SHA = This SA uses AES 128-bit data encryption for both the IKE tunnel and IPSec traffic, ESP/SHA/HMAC-128 authentication for IPSec traffic, and SHA/HMAC-128 authentication for the IKE tunnel.

Additional SAs that you have configured also appear on the list.


78-15731-01


IKE Peer Identity Validation

Click the IKE Peer Identity Validation drop-down menu button, and select the type of peer identity validation.

Note This option applies only to tunnel negotiations based on certificates.

During IKE tunnel establishment, the peer provides its identity: either an IP address, a fully qualified domain name (FQDN), or a distinguished name (DN). It also presents a certificate, which contains none, some, or all of these fields. If IKE peer identity validation is enabled, the VPN Concentrator compares the peer’s identity to the like field in the certificate to see if the information matches. If the information matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional level of security.

IKE Peer Identity Validation can be useful for binding a peer to a particular IP address or domain name. For example, if the IP address that the peer provided as an identification during tunnel establishment does not match the IP address in its certificate, the VPN Concentrator fails to validate the peer and drops the tunnel.

Ideally all the VPN Concentrator peers are configured to provide matching types of identity and certificate fields. In this case, enabling Peer Identity Validation ensures that the VPN Concentrator checks the validity of every peer, and only validated peers connect. But in actuality, some peers might not be configured to provide this data. The peer provides a certificate, but that certificate might not contain any of the matching fields required for an identity check. (For example, the peer might provide an IP address for its identity and its certificate might contain only a distinguished name.) If a peer does not provide sufficient information for the VPN Concentrator to check its identity, there are two possibilities: the VPN Concentrator either establishes the session or drops it. If you want the VPN Concentrator to drop sessions of peers that do no provide sufficient information to perform an identity check, choose Required. If you want the VPN Concentrator to establish sessions for peers that do not provide sufficient identity information to perform a check, select If supported by Certificate.

• Required = Enable the IKE peer identity validation feature. If a peer’s certificate does not provide sufficient information to perform an identity check, drop the tunnel.

• If supported by certificate = Enable the IKE peer identity validation feature. If a peer’s certificate does not provide sufficient information to perform an identity check, allow the tunnel.

• Do not check = Do not check the peer’s identity at all. Selecting this option disables the feature.


78-15731-01


IKE Keepalives

Check the IKE Keepalives check box to enable IKE keepalives. (IKE keepalives is enabled by default.) This feature lets the VPN Concentrator monitor the continued presence of a remote peer and to report its own presence to that peer. If the peer becomes unresponsive, the VPN Concentrator removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.

There are various forms of IKE keepalives. For this feature to work, both the VPN Concentrator and its remote peer must support a common form. This feature works with the following peers:

• Cisco VPN Client (Release 3.0 and above)

• Cisco VPN 3000 Client (Release 2.x)

• Cisco VPN 3002 Hardware Client

• Cisco VPN 3000 Series Concentrators

• Cisco IOS software

• Cisco Secure PIX Firewall

Non-Cisco VPN clients do not support IKE keepalives.

If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.

If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend you keep your idle timeout short. To change your idle timeout, see the Configuration | User Management | Groups screen, General tab.

Note To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalives mechanism prevents connections from idling and therefore from disconnecting.

If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.

Note If you have a LAN-to-LAN configuration using IKE main mode, make sure the two peers have the same IKE keepalives configuration: both must have IKE keepalives enabled or both must have it disabled.

Confidence Interval

This field applies only to Easy VPN compliant clients that are using IKE Keepalives. Easy VPN compliant clients are:


• Cisco Easy VPN Client for IOS Routers

• PIX 501/506 Easy VPN Remote Hardware Client

Enter the number of seconds the VPN Concentrator should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a LAN-to-LAN group is 10 seconds. The default for a remote access group is 300 seconds.


78-15731-01


Tunnel Type

Click the Tunnel Type drop-down menu button and select the type of IPSec tunnel that clients use:

• LAN-to-LAN = IPSec LAN-to-LAN connections between two VPN Concentrators (or between a VPN Concentrator and another protocol-compliant security gateway). See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN section. If you select this type, ignore the rest of the parameters on this tab.

• Remote Access = Remote IPSec client connections to the VPN Concentrator (the default). If you select this type, configure Remote Access Parameters.

Remote Access Parameters

These base-group parameters apply to remote-access IPSec client connections only. If you select Remote Access for Tunnel Type, configure these parameters.

Group Lock

Check the Group Lock check box to restrict users to remote access through this group only. Group Lock restricts users by checking if the group configured in the VPN client is the same as the user’s assigned group. If it is not, the VPN Concentrator prevents the user from connecting.

If this box is unchecked (the default), the system authenticates a user without regard to the user’s assigned group.

Authentication

Whenever a VPN software or VPN 3002 hardware client attempts a tunneled connection to a network behind a VPN Concentrator, that client is authenticated by means of a username and password. This authentication occurs when the tunnel initiates.

Click the Authentication drop-down menu button and select the authentication method (authentication server type) to use with this group’s remote-access IPSec clients. Both VPN Clients and VPN 3002 hardware clients authenticate on the first server of the type you configure.

This selection identifies the authentication method, not the specific server. Configure authentication servers on the Configuration | System | Servers | Authentication screens or Configuration | User Management | Groups | Authentication Servers screens.

For the VPN 3002, this selection applies to authentication using a saved username and password and to interactive hardware client authentication. Individual users behind the VPN 3002 authenticate according to the priority order of all authentication servers configured, regardless of type. For more information on the different ways in which a VPN 3002 can authenticate, see the section, “HW Client Parameters Tab.”

WebVPN users authenticating with digital certificates use an authorization server for authentication. For these users, set the value in this Authentication field to None.

Note To configure user-based authentication for VPN Clients, choose an Authentication method, then follow the additional steps outlined under Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy.


78-15731-01


Selecting any authentication method (other than None) enables ISAKMP Extended Authentication, also known as XAUTH.

• None = No IPSec user authentication method.

– If you checked L2TP over IPSec under Tunneling Protocols, use this selection.

– If WebVPN users in the base group authenticate with digital certificates, select None in this screen because these users authenticate using an Authorization server.

• RADIUS = Authenticate clients via external RADIUS server.

• RADIUS with Expiry = Authenticate clients via external RADIUS server. If the password has expired, notify the client and offer the opportunity to create a new password.

• NT Domain = Authenticate clients via external Windows NT Domain system.

• SDI = Authenticate clients via external RSA Security Inc. SecureID system.

• Kerberos/Active Directory = Authenticate users via an external Windows Active Directory or a UNIX/Linux Kerberos server.

• Internal = Authenticate clients via the internal VPN Concentrator authentication server. This is the default selection.

Enabling RADIUS with Expiry lets the VPN Concentrator use MS-CHAP-v2 when authenticating an IPSec client to an external RADIUS server. That RADIUS server must support both MS-CHAP-v2 and the Microsoft Vendor Specific Attributes. Refer to the documentation for your RADIUS server to verify that it supports these capabilities.

With MS-CHAP-v2, when you enable RADIUS with Expiry on the VPN Concentrator, the VPN Concentrator can provide enhanced login failure messages to the VPN Client describing specific error conditions. These conditions are:

• Restricted login hours.

• Account disabled.

• No dial-in permission.

• Error changing password.

• Authentication failure.

Note For RADIUS with Expiry to work with a VPN 3002, the VPN 3002 must have the Require Interactive Hardware Client Authentication feature enabled.

Authorization Type

This field applies to IPSec users and to WebVPN users that authenticate with digital certificates. These WebVPN users use an Authorization server for authentication.

Select an authorization type.

• None = Do not authorize users in this group.

• RADIUS = Use an external RADIUS authorization server to authorize users in this group.

• LDAP = Use an external LDAP authorization server to authorize users in this group.


78-15731-01


Authorization Required

If you are using authorization, you can make it mandatory or optional. Check the Authorization Required check box if you want to require users to authorize successfully to connect. If authorization fails for any reason (including the user’s inability to access the authorization server), the connection fails.

If you do not want a connection to depend on authorization, make authorization optional. To make authorization optional, uncheck the Authorization Required check box. In this case, if authorization fails, the VPN Concentrator notes the failure in the log and allows the connection to continue.

Check this box for WebVPN users that authenticate with digital certificates.

DN Field

If IPSec or WebVPN users in this group are authenticating by means of digital certificates and require LDAP or RADIUS authorization, choose a field from the certificate to identify the user to the authorization server.

For example, if you choose E-mail Address, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an email address of [email protected] cannot authenticate as John Doe or as johndoe. He must authenticate as [email protected].

• CN otherwise OU = If there is a CN field in the certificate, use the CN field. If there is not a CN field in the certificate, use the OU field.

• Common Name (CN)

• Surname (SN)

• Country (C)

• Locality (L)

• State/Province (SP)

• Organization (O)

• Organizational Unit (OU)

• Title (T)

• Name (N)

• Given Name (GN)

• Initials (I)

• E-mail Address (EA)

• Generational Qualifier (GENQ)

• DN Qualifier (DNQ)

• Serial Number (SER)

• All the DN Fields


78-15731-01


IPComp

If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Click the IPComp drop-down menu button to enable data compression using IPComp.

• None = No data compression.

• LZS = Enable data compression using the LZS compression algorithm.

Caution Data compression increases the memory requirement and CPU utilization for each user session and consequently decreases the overall throughput of the VPN Concentrator. For this reason, we recommend that you enable data compression only if every member of the group is a remote user connecting with a modem. If any members of the group connect via broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.


78-15731-01


Default Preshared Key

Enter the preshared secret. Use a minimum of four and a maximum of 32 alphanumeric characters.

This option allows the following VPN clients to connect to the VPN Concentrator:

• VPN clients that use pre-shared secrets but do not support the concept of a “group,” such as the Microsoft Windows XP L2TP/IPSec client.

• VPN router devices that are creating inbound connections from non-fixed IP addresses using pre-shared secrets.

Reauthentication on Rekey

Check the Reauthentication on Rekey check box to enable reauthentication, or uncheck the box to disable it.

If you have enabled the Reauthentication on Rekey feature, the VPN Concentrator prompts the user to enter an ID and password during Phase 1 IKE negotiation and also prompts for user authentication whenever a rekey occurs. Reauthentication provides additional security.

If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. In this case, disable reauthentication. To check your VPN Concentrator’s configured rekey interval, see the Lifetime Measurement, Data Lifetime, and Time Lifetime fields on the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add or Modify screen.

Note At 85% of the rekey interval, the Cisco VPN Client prompts the user to reauthenticate. If the user does not respond within approximately 90 seconds, the VPN Concentrator drops the connection.

Client Type & Version Limiting

Construct rules to permit or deny VPN Clients according to their type and software version. Construct these rules exactly, using the formats, abbreviations, and other rule specifications defined below.

• Construct rules in the format p[ermit]/d[eny] <type> : <version>, for example, d VPN 3002 : 3.6* .

• The * character is a wildcard. You can use it multiple times in each rule. For example: deny *:3.6* = Deny all clients running software version 3.6x.

• Use a separate line for each rule.

• Order rules by priority.

– If you do not define any rules, all connections are permitted.

– The first rule that matches is the rule that applies. If a later rule contradicts, the system ignores it.

• When a client matches none of the rules, the connection is denied. This means that if you define a deny rule, you must also define at least one permit rule, or all connections are denied.

• For both software and hardware clients, client type and software version must match (case insensitive) their appearance in the Monitoring | Sessions screen, including spaces. We recommend that you copy and paste from that screen to this one.

• Use "n/a" for either the type or the version to identify information the client does not send. For example: permit n/a:n/a = Permit any client that does not send the client type and version.


78-15731-01


• You can use a total of 255 characters for rules. The newline between rules uses two characters. To conserve characters:

– Use p for permit, d for deny

– Eliminate spaces except as required for client type and version. You do not need a space before or after the colon (:).

Mode Configuration

Check the Mode Configuration check box to use Mode Configuration with IPSec clients (also known as the ISAKMP Configuration Method or Configuration Transaction). This option exchanges configuration parameters with the client while negotiating Security Associations. If you check this box, configure the desired Mode Configuration Parameters; otherwise, ignore them. The box is checked by default.

To use split tunneling, you must check this box.

If you checked L2TP over IPSec under Tunneling Protocols, do not check this box.

Note IPSec uses Mode Configuration to pass all configuration parameters to a client: IP address, DNS and WINS addresses, etc. You must check this box to use Mode Configuration. Otherwise, those parameters—even if configured with entries—are not passed to the client.

Note The Cisco VPN Client (IPSec client) supports Mode Configuration, but other IPSec clients might not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) Determine compatibility before using this option with other vendors’ clients. While this functionality might work with other clients, Cisco does not certify or formally support this environment for other clients.


78-15731-01

Chapter 13 User ManagementClient Configuration Parameters Tab

Client Configuration Parameters TabThese base-group parameters apply to IPSec clients.

Figure 13-4 Configuration | User Management | Base Group, Client Configuration Parameters Tab


78-15731-01


Allow Password Storage on Client

Check the Allow Password Storage on Client check box to allow IPSec clients to store their login passwords on their local client systems. If you do not allow password storage (the default), IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage.

This parameter has no bearing on interactive hardware client authentication or individual user authentication for a VPN 3002.

IPSec over UDP

Check the IPSec over UDP check box to allow the Cisco VPN Client (IPSec client) or VPN 3002 hardware client to connect to the VPN Concentrator via UDP through a firewall or router using NAT. The box is unchecked by default. See the following discussion.

IPSec over UDP Port

Enter the UDP port number to use on the VPN Concentrator if you allow IPSec through NAT. Enter a number in the range 4001 through 49151; default is 10000.

About IPSec over UDP

IPSec over UDP, sometimes called IPSec through NAT, lets you use the Cisco VPN Client or VPN 3002 hardware client to connect to the VPN Concentrator via UDP through a firewall or router that is running NAT. This feature is proprietary, it applies only to remote-access connections, and it requires Mode Configuration. Using this feature might slightly degrade system performance.

Enabling this feature creates runtime filter rules that forward UDP traffic for the configured port even if other filter rules on the interface drop UDP traffic. These runtime rules exist only while there is an active IPSec through NAT session. The system passes inbound traffic to IPSec for decryption and unencapsulation, and then passes it to the destination. The system passes outbound traffic to IPSec for encryption and encapsulation, applies a UDP header, and forwards it.

You can configure more than one group with this feature enabled, and each group can use a different port number. Port numbers must be in the 4001 through 49151 range, which is a subset of the IANA Registered Ports range.

The Cisco VPN Client must also be configured to use this feature (it is configured to use it by default). The VPN Client Connection Status dialog box indicates if the feature is being used. Refer to the VPN Client User Guide.

The VPN 3002 hardware client does not require configuration to use IPSec through NAT.

The Administration | Sessions and Monitoring | Sessions screens indicate if a session is using IPSec through NAT, and the Detail screens show the UDP port.

Note The following restrictions apply to multiple simultaneous connections using IPSec over UDP:

Multiple simultaneous connections from VPN Client or VPN 3002 hardware client users behind a PAT (Port Address Translation) device can work, but only if the PAT device assigns a unique source port for each simultaneous user.


78-15731-01


Some PAT devices use UDP source port = 500 for all IKE sessions, even if there are multiple sessions. This allows only one session at a time; the second connection brought up from behind this type of PAT device causes the first session to be torn down. (This is unrelated to whether or not a PAT device supports “ESP” PAT, or if you are using the IPSec UDP functionality.)

Therefore, for multiple simultaneous IPSec over UDP connections, use a PAT device that maps each additional session to use unique UDP source ports. Alternatively, connect additional users to different destination VPN Concentrators.

IPSec Backup Servers

IPSec backup servers let a VPN 3002 Hardware Client or a Cisco VPN Client connect to the central site when its primary central-site VPN Concentrator is unavailable. Configure backup servers either on the client or on the primary central-site VPN Concentrator. If you configure backup servers on the central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the clients in the group.

By default the policy is to use the backup server list configured on the client. Alternatively, the VPN Concentrator can push a policy that supplies a list of backup servers in order of priority (replacing the backup server list on the client if one is configured), or it can disable the feature and clear the backup server list on the client if one is configured.

Figure 13-5 illustrates how the backup server feature works.

Figure 13-5 Backup Server Implementation

San JoseVPN 3080

Concentrator

AustinVPN 3000

Concentrator

FargoVPN 3002

Hardware Client

BostonVPN 3000Concentrator

6815

8

1

2

3


78-15731-01


XYZ corporation has large sites in three cities: San Jose, California; Austin, Texas; and Boston, Massachusetts. They just opened a regional sales office in Fargo, North Dakota. To provide access to the corporate network from Fargo, they use a VPN 3002 that connects to a VPN 3080 in San Jose (1). If the VPN 3002 is unable to contact the corporate network, Fargo cannot place orders. However, the IPSec backup server feature lets the VPN 3002 connect to one of several other sites, in this case using Austin (2) and Boston (3) as backup servers, in that order.

The VPN 3002 in Fargo first attempts to reach San Jose. If the initial IKE packet for that connection (1) times out (8 seconds), the VPN 3002 tries to connect to Austin (2). Should this negotiation also time out, the VPN 3002 tries to connect to Boston (3). These attempts continue until the VPN 3002 has tried all servers on its backup server list, to a maximum of 10.

Be aware of the following characteristics of the backup server feature:

• A client must connect to the primary VPN Concentrator to download a backup server list configured on the primary VPN Concentrator. If that Concentrator is unavailable, and if the client has a previously configured backup server list, it can connect to the servers on that list.

• A client can download a backup server list only from the primary VPN Concentrator. It cannot download a backup server list from a backup server.

• The VPN Concentrators that you configure as backup servers do not have to be aware of each other.

• If you change the configuration of backup servers, or delete a backup server during an active session between a client and a backup server, the session continues without adopting that change. New settings take effect the next time the client connects to its primary VPN Concentrator.

If the VPN 3002 cannot connect after trying all backup servers on the list, it does not automatically retry.

– In Network Extension mode, the VPN 3002 attempts a new connection after 4 seconds.

– In Client mode, the VPN 3002 attempts a new connection when the user presses the Connect Now button on the Monitoring | System Status screen, or when data passes from the VPN 3002 to the VPN Concentrator.

You can configure the backup server feature from the primary VPN Concentrator or the client.

Table 13-2 Where to Configure the Backup Server Feature

VPN Concentrator Configure backup servers on the Configuration | User Management | Base Group or Groups | Mode Configuration screens.

VPN 3002 Hardware Client Configure backup servers on the Configuration | System | Tunneling Protocols | IPSec screen.

Note The list you configure on the VPN 3002 applies only if the option, Use Client Configured List, is set in the IPSec Backup Servers parameter. To set this parameter, go to the Mode Configuration tab of the Configuration | User Management | Groups | Add/Modify screen for the primary VPN Concentrator to which the VPN 3002 connects.

VPN Client Configure backup servers on the Properties > Connections tab.


78-15731-01


The group name, username, and passwords that you configure for the client must be identical for the primary VPN Concentrator and all backup servers. Also, if you require interactive hardware client authentication and/or individual user authentication for the VPN 3002 on the primary VPN Concentrator, be sure to configure it on backup servers as well. See the HW Client Parameters Tab for more information.

Configuring Backup Servers on the Central-Site VPN Concentrator

To configure backup servers on the primary central-site VPN Concentrator, accept the default, Use the list below in the IPSec Backup Servers drop down menu.

Enter either the IP addresses or the hostnames of the VPN Concentrators that are to be backup servers. The IP address is the IP address of the VPN Concentrator public interface.

Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a VPN 3002 obtain DNS and WINS information from the VPN 3002 through DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. Further, if you use hostnames and the DNS server is unavailable, significant delays can occur.

You can enter up to 10 backup servers, in order of highest to lowest priority. Enter each backup server on a single line, using the Enter or Return key for each new line.

Should there be a backup server list already configured on the client, this list on the central-site VPN Concentrator replaces it, and becomes the list of backup servers on the client.

If you change the configuration of backup servers, or delete a backup server during an active session between a client and a backup server, the session continues without adopting that change. New settings take effect in the next new session.

Configuring Backup Servers from the VPN 3002

To configure backup servers on the VPN 3002, accept the default, Use client configured list in the IPSec Backup Servers drop-down menu. You then configure backup servers in the VPN 3002 Configuration | System | Tunneling Protocols | IPSec screen. Refer to the Tunneling chapter in the VPN 3002 Hardware Client User Reference for instructions.

Configuring Backup Servers from the Cisco VPN Client

To configure backup servers on the Cisco VPN Client, check the Enable backup server(s) check box on the Properties > Connections tab. Click Add, then enter the hostname or IP address of the backup server(s). Refer to the VPN Client User Guide for your platform for more information.

Disabling Backup Servers

To disable the backup server feature, select Disable and clear client configured list in the IPSec Backup Servers drop-down menu. If you disable the feature from the primary VPN Concentrator, the feature is disabled and the list of backup servers configured on the client, if there is one, is cleared.


78-15731-01


Intercept DHCP Configure Message

DHCP Intercept lets Microsoft XP clients implement split-tunneling with a VPN Concentrator. The VPN Concentrator replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.

Note A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. The VPN Concentrator limits the number of routes it sends to 27-40 routes, with the number of routes dependent on the classes of the routes, to avoid this problem.

Check the box to enable DHCP Intercept.

Subnet Mask

Enter the subnet mask for clients requesting Microsoft DHCP options.

Banner

Enter the banner, or welcome text, that this group’s IPSec clients see when they log in. The maximum length is 510 characters. You can use ASCII characters, including new line (the Enter key, which counts as two characters).

You can display a banner to VPN Clients, WebVPN users, and on VPN 3002 hardware clients that are configured for individual user authentication.

Split Tunneling Policy

Split tunneling lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form. Packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. Split tunneling thus eases the processing load, simplifies traffic management, and speeds up untunneled traffic.

Note To implement split tunneling for Microsoft XP clients, you must meet several conditions:- Set the Split Tunneling Policy to “Only tunnel networks in list.” - Configure network lists and default domain names in the Common Client Parameters section of this screen.- Change the default setting on the client PC’s Internet Protocol (TCP/IP) Properties window. The path is Control Panel > Network Connections > VPN > VPN Properties > Networking > Internet Protocol (TCP/IP) > Select Properties > Internet Protocol (TCP/IP) Properties window. Select Advanced and uncheck the box.

Note If you enable both split tunneling and individual user authentication for a VPN 3002, users must authenticate only when sending traffic bound for destinations on the other side of the IPSec tunnel.


78-15731-01


Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling. However, since only the VPN Concentrator—and not the IPSec client—can enable split tunneling, you can control implementation here and thus protect security. Split tunneling is disabled by default on both the VPN Concentrator and the client. You enable and configure the feature on the VPN Concentrator, and then the VPN Concentrator uses Mode Configuration to push it to, and enable it on, the IPSec client.

Split tunneling applies only to single-user remote-access IPSec tunnels, not to LAN-to-LAN connections.

The default split tunneling policy is Tunnel Everything. Tunnel Everything disables split tunneling. When Tunnel Everything is configured, all traffic from remote clients in this group travels over the secure IPSec tunnel in encrypted form. No traffic goes in the clear or to any other destination than the VPN Concentrator. Remote users in this group reach internet networks through the corporate network and do not have access to local networks.

If users in this group need access to local networks, choose Allow Networks in List to Bypass Tunnel. This option allows you to define a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel.

To configure the Allow Networks in List to Bypass Tunnel option, choose VPN Client Local LAN from the Split Tunnel Network List menu. The VPN Client Local LAN option allows all users in the group to access all devices on their local networks. If you want to restrict users’ access to particular devices on their local network, you need to know the addresses of the local devices the remote users in this group want to access. Create a network list of these addresses, then choose that network list from the Split Tunneling Network List menu. You can apply only one network list to a group, but one network list can contain up to 10 network entries. (See the Configuration | Policy Management | Traffic Management | Network Lists screens for more information on creating network lists.) You also must enable Local LAN Access on the VPN Client. See the VPN Client Administrator Guide for more details.

Note The Allow Networks in List to Bypass Tunnel option allows remote users to access only devices that are located on the same network interface as the tunnel. If a remote user’s local LAN is located on a different network interface than the tunnel, the user cannot access it.

To allow remote users to access internet networks without tunneling through the corporate network, enable split tunneling. To enable split tunneling, choose Only Tunnel Networks in List. To configure this option, create a network list of addresses to tunnel. Then select this network list from the Split Tunneling Network List menu. Data to all other addresses is sent in the clear and routed by the remote user’s internet service provider.

We recommend that you keep the base-group default, and that you enable and configure the split tunneling policy selectively for each group.

• Tunnel everything = Send all data via the secure IPSec tunnel.

• Allow networks in list to bypass the tunnel = Send all data via the secure IPSec tunnel except for data to addresses on the network list. The purpose of this option is to allow users who are tunneling all traffic to access devices such as printers on their local networks. This setting applies only to the Cisco VPN Client.

• Only tunnel networks in list = Send data to addresses on the network list via secure IPSec tunnel. Data bound for any other address goes in the clear. The purpose of this option is to allow remote users to access internet networks without requiring them to be tunneled through the corporate network.


78-15731-01


Split Tunneling Network List

Click the drop-down menu button and select the split tunneling address list to use with this group’s remote-access IPSec clients.

Both the Allow Networks in List to Bypass Tunnel option and the Only Tunnel Networks in List option make split tunneling decisions on the basis of a network list, which is a list of addresses on the private network. But the network list functions differently in each configuration.

In an Allow Networks in List to Bypass Tunnel configuration, The IPSec client uses the network list as an exclusion list: a list of addresses to which traffic should be sent in the clear. All other traffic is routed over the IPSec tunnel.

In an Only Tunnel Networks in List configuration, the IPSec client uses the network list as an inclusion list: a list of networks for which traffic should be sent over the IPSec tunnel. The IPSec client establishes an IPSec Security Association (SA) for each network specified in the list. Outbound packets with destination addresses that match one of the SAs are sent over the tunnel; everything else is sent as clear text to the locally connected network.

• None = No network address lists are configured.

• VPN Client Local LAN (default) = All addresses on the client’s local network. The VPN Client Local LAN network list is a wildcard value that represents the client’s local network. It corresponds to the address 0.0.0.0/0.0.0.0, which represents the IP address of the client’s network card on which the tunnel is established. This option is the default associated with Allow Networks in List to Bypass Tunnel. It does not apply to the Only Tunnel Networks in List option.

Default Domain Name

Enter the default domain name that the VPN Concentrator passes to the IPSec client, for the client’s TCP/IP stack to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. For example, if this entry is xyzcorp.com, a DNS query for mail becomes mail.xyzcorp.com. The maximum name length is 255 characters. The Manager checks the domain name for valid syntax.

Split DNS Names

Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names, while ISP-assigned DNS servers resolve all other DNS requests. It is used in split-tunneling connections; the internal DNS server resolves the domain names for traffic through the tunnel, and the ISP-assigned DNS servers resolve DNS requests that travel in the clear to the Internet.

The VPN Concentrator does not support split-DNS for Microsoft VPN Clients; however, it does support split DNS for the Cisco VPN Client operating on Microsoft Windows operating systems.

Enter each domain name to be resolved by the internal server. Use commas but no spaces to separate the names.


78-15731-01

Chapter 13 User ManagementClient FW Parameters Tab

Client FW Parameters TabThis tab lets you configure firewall parameters for VPN Clients.

Note Only VPN Clients running Microsoft Windows can use these firewall features. They are presently not available to hardware clients or other (non-Windows) software clients.

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user’s PC, and thereby the corporate network, from intrusions by way of the Internet or the user’s local LAN.

Remote users connecting to the VPN Concentrator with the VPN Client can choose from three possible firewall options.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN Client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN Client drops the connection to the VPN Concentrator. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN Client monitors the firewall by sending it periodic “are you there?” messages; if no reply comes, the VPN Client knows the firewall is down and terminates its connection to the VPN Concentrator.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN Client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the VPN Concentrator, you create a set of traffic management rules to enforce on the VPN Client, associate those rules with a filter, and designate that filter as the firewall policy. The VPN Concentrator pushes this policy down to the VPN Client. The VPN Client then in turn passes the policy to the local firewall, which enforces it.

A third scenario is to use a separate firewall server—the Zone Labs Integrity Server (IS)—to secure remote PCs on Windows platforms. The IS maintains policies for remote VPN Client PCs and monitors the PCs to ensure policy enforcement. The IS also communicates with the VPN Concentrator to allow and terminate connections, exchange session and user information, and report status information. For more details on how the VPN Concentrator interacts with the VPN Client, personal firewalls, and the Zone Labs Integrity Server, see the VPN Client Administrator Guide. For information on configuring the Zone Labs Integrity Server, refer to Zone Labs’ documentation.


78-15731-01


Figure 13-6 Configuration | User Management | Base Group | Client FW Parameters Tab

Firewall Setting

By default, no firewall is required for remote users in this group. If you want users in this group to be firewall-protected, choose either the Firewall Required or Firewall Optional setting.

If you choose Firewall Required, all users in this group must use the designated firewall. The VPN Concentrator drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the VPN Concentrator notifies the VPN Client that its firewall configuration does not match.

If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.

Click the radio button to select a firewall setting:

• No Firewall = No firewall is required for remote users in this group.

• Firewall Required = All remote users in this group must use a specific firewall. Only those users with the designated firewall can connect.


78-15731-01


Note If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN Clients. Any other clients in the group (including VPN 3002 Hardware Clients) are unable to connect.

• Firewall Optional = All remote users in this group can connect. Those that have the designated firewall can use it. Those who do not have a firewall receive a warning message.

Firewall

Choose a firewall for the users in this group. Keep in mind when choosing that the firewall you designate correlates with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported. (See Table 13-4 for details.)

Click the drop-down menu button, and select the type of firewall required for users in this group.

• Cisco Integrated Client Firewall = The stateful firewall built into the VPN Client.

• Network ICE BlackICE Defender = The Network ICE BlackICE Agent or Defender personal firewall.

• Zone Labs ZoneAlarm = The Zone Labs ZoneAlarm personal firewall.

• Zone Labs ZoneAlarm Pro = The Zone Labs ZoneAlarm Pro personal firewall.

• Zone Labs ZoneAlarm or ZoneAlarm Pro = Either the Zone Labs ZoneAlarm personal firewall or the Zone Labs ZoneAlarm Pro personal firewall.

• Zone Labs Integrity = The Zone Labs Integrity Client.

• Sygate Personal Firewall = The Sygate Personal Firewall.

• Sygate Personal Firewall Pro = The Sygate Personal Firewall Pro.

• Sygate Security Agent = The Sygate Security Agent personal firewall.

• Cisco Intrusion Prevention Security Agent = Cisco Systems security agent.

• Custom Firewall = A combination of the firewalls listed above, or other firewalls not listed above. If you choose this option, you must create your own list of firewalls in the Custom Firewall field.

Note You do not need to use the Custom option for Release 4.0. Currently, all supported firewalls are covered by the other Firewall menu options.


78-15731-01


Custom Firewall

On the VPN Concentrator, you can configure a custom firewall. Currently there are no supported firewall configurations that you can not choose from the menu on the VPN Concentrator. This feature is mainly for future use. Nevertheless, the following table lists the vendor codes and products that are currently supported.

Enter a single vendor code; enter one or more product codes.

The VPN Concentrator can support any firewall that the VPN Client supports. Refer to the VPN Client Administrator Guide for the latest list of supported clients.

Vendor ID

Enter the vendor code for the firewall(s) that remote users in this group are using. Enter only one vendor.

Product ID

Enter the product code or codes for the firewall(s) that remote users in this group are using. To indicate any supported product, enter 255. Separate multiple codes with commas. Indicate code ranges with hyphens, for example: 4-20.

Description

Enter a description (optional) for the custom firewall.

Table 13-3 Custom Vendor and Product codes

Vendor Vendor Code Products Product Code

Cisco Systems 1 Cisco Integrated Client (CIC) 1

5 Cisco Intrusion Prevention Security Agent

1

Zone Labs 2 Zone Alarm 1

Zone AlarmPro 2

Zone Labs Integrity 3

NetworkICE 3 BlackIce Defender/Agent 1

Sygate 4 Personal Firewall 1

Personal Firewall Pro 2

Security Agent 3


78-15731-01


Firewall PolicyDepending on which firewall you configured, certain Firewall Policy options are available. (See Table 13-4.)

Choose the source for the VPN Client firewall policy.

• Policy defined by remote firewall (AYT) = Remote users in this group have firewalls located on their PCs. The local firewall enforces the firewall policy on the VPN Client. The VPN Concentrator allows VPN Clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. Once the connection is established, the VPN Client polls the firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the VPN Client ends the session.

• Policy Pushed (CPP) = The VPN Concentrator enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this VPN Concentrator, including the default filters. Keep in mind that the VPN Concentrator pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the VPN Concentrator. For example, “in” and “out” refer to traffic coming into the VPN Client or going outbound from the VPN Client.

If the VPN Client also has a local firewall, the policy pushed from the VPN Concentrator works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.

• Policy from Server = Users in this group use a Zone Labs Integrity Server to configure and manage firewall security on their remote PCs. If you choose this option, you must also configure the server address on the Configuration | System | Servers | Firewall Server screen

Table 13-4 Firewall Policy Options Available for Each Firewall

FirewallPolicy Defined by Remote Firewall (AYT) Policy Pushed (CPP) Policy from Server

Cisco Integrated Client Firewall No Yes No

Network ICE BlackICE Defender Yes No No

Zone Labs ZoneAlarm Yes Yes No

Zone Labs ZoneAlarm Pro Yes Yes No

Zone Labs ZoneAlarm orZone Labs ZoneAlarm Pro

Yes Yes No

Zone Labs Integrity No No Yes

Sygate Personal Firewall Yes No No

Sygate Personal Firewall Pro Yes No No

Sygate Security Agent Yes No No

Cisco Intrusion Prevention Security Agent Yes No No

Custom Firewall N/A (This field is for future use.)


78-15731-01

Chapter 13 User ManagementHW Client Parameters Tab

HW Client Parameters TabThe Hardware Client parameters tab lets you configure several features for the VPN 3002 and its users in the base group.

Figure 13-7 Configuration | User Management | Base Group, HW Client Parameters Tab

Require Interactive Hardware Client Authentication

Check the Require Interactive Hardware Client Authentication check box to enable interactive authentication for VPN 3002s in the base group. For more information, see the section, “About Interactive Hardware Client Authentication,” below.

Require Individual User Authentication

Check the Require Individual User Authentication box to enable individual user authentication for users behind VPN 3002s in the base group. To display a banner to VPN 3002s in a group, individual user authentication must be enabled. For more information, see the section, “About Individual User Authentication,” below.


78-15731-01


User Idle Timeout

Enter the idle timeout period in minutes. If there is no communication activity on a user connection in this period, the system terminates the connection. The minimum is 1 minute, the default is 30 minutes, and the maximum is 10080 minutes. To disable timeout and allow an unlimited idle period, enter 0.


78-15731-01


Cisco IP Phone Bypass

Check the Cisco IP Phone Bypass box to let IP phones bypass the interactive individual user authentication processes. If enabled, interactive hardware client authentication remains in effect.

Note You must configure the VPN 3002 to use network extension mode for IP phone connections.

LEAP Bypass

Check the LEAP Bypass box to let LEAP packets from Cisco wireless devices bypass the individual user authentication processes (if enabled).

LEAP (Lightweight Extensible Authentication Protocol) Bypass lets LEAP packets from devices behind a VPN 3002 travel across a VPN tunnel prior to individual user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication (if enabled). For more information about LEAP Bypass, see the section, “About LEAP Bypass,” below.

Note This feature does not work as intended if you enable interactive hardware client authentication.

Allow Network Extension Mode

This feature lets you restrict the use of network extension mode on the VPN 3002. Check the box to let VPN 3002s use network extension mode.

Network extension mode is required for the VPN 3002 to support IP phone connections. This is because the Call Manager can communicate only with actual IP addresses.

Note If you disallow network extension mode, the default setting, the VPN 3002 can connect to this VPN Concentrator in PAT mode only. If you disallow network extension mode here, be careful to configure all VPN 3002s in a group for PAT mode. If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the VPN 3002 puts an unnecessary processing load on the VPN Concentrator to which it connects; if large numbers of VPN 3002s are misconfigured in this way, the VPN Concentrator has a reduced ability to provide service.

About Interactive Hardware Client AuthenticationInteractive hardware client authentication provides the central site with additional security by requiring the VPN 3002 to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the VPN Concentrator to which it connects. The VPN Concentrator facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established.

You configure interactive hardware client authentication in Hardware Client tab of the Configuration | User Management | Groups screen on the VPN Concentrator at the central site, which then pushes the policy to the VPN 3002.


78-15731-01


You specify the type of authentication server in the IPSec tab of the Configuration | User Management | Groups screen on the VPN Concentrator. The VPN 3002 authenticates on the first server of that type that you configure in the Configuration | System | Servers | Authentication screen or Configuration | User Management | Groups | Authentication Servers screen. If the VPN 3002 cannot reach that server, it authenticates on the next server of that type in the list of authentication servers.

Enabling and Later Disabling Interactive Hardware Client Authentication

When you enable interactive hardware client authentication for a group, the VPN Concentrator pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.

If, on the VPN Concentrator, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the VPN Concentrator has disabled interactive hardware client authentication.

If you subsequently configure a username and password (in the VPN 3002 Configuration | System | Tunneling Protocols | IPSec screen), the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the VPN Concentrator using the saved username and password.

About Individual User AuthenticationIndividual user authentication protects the central site from access by unauthorized persons on the private network of the VPN 3002.

When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator, even though the tunnel already exists.

To display a banner to VPN 3002s in a group, individual user authentication must be enabled.

Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser.

• If you have a default home page on the remote network behind the VPN Concentrator, or direct the browser to a website on the remote network behind the VPN Concentrator, the VPN 3002 directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.

• If you try to access resources on the network behind the VPN Concentrator that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser.

• To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the browser Location or Address field. The browser then displays the login screen for the VPN 3002. To authenticate, click the Connect/Login Status button.

• One user can log in for a maximum of four sessions simultaneously.

Individual users authenticate according to the order of authentication servers that you configure for a group. To configure authentication servers for individual user authentication, see the sections, Configuration | User Management | Base Group/Groups | Authentication Servers | Add/Modify.


78-15731-01


Backup Servers with Interactive Hardware Client and Individual User Authentication

Be sure to configure any backup servers for the VPN 3002 with the same values as the primary VPN Concentrator for interactive hardware client authentication and individual user authentication. For information about configuring backup servers, see the section, “Client Configuration Parameters Tab.”

Accounting with Interactive Hardware Client and Individual User Authentication

If a VPN 3002 authenticates to a VPN Concentrator, and you have enabled accounting, the VPN Concentrator notifies the RADIUS accounting server when the VPN 3002 logs on and off. It also keeps track of individual users. See the section, “Configuration | System | Servers | Authorization| Add or Modify,” of this guide.

About LEAP BypassIEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.

Note Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.

LEAP Bypass for the VPN 3002

LEAP users behind a VPN 3002 have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.


78-15731-01


LEAP Bypass works as intended under the following conditions:

• The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the VPN 3002 before LEAP devices can connect using that tunnel.

• Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).

• Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands.

• The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).

• The VPN 3002 can operate in either client mode or network extension mode.

• LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.

Note There may be security risks in allowing any unauthenticated traffic to traverse the tunnel.


78-15731-01


Summary of VPN 3002 Authentication FeaturesTable 13-5 summarizes how authentication of the VPN 3002 works by default, and how it works with interactive hardware client authentication and individual user authentication enabled. Be aware that you can use both interactive hardware client authentication or individual user authentication simultaneously, or either one and not the other.

Table 13-5 Authenticating the VPN 3002 Hardware Client and Users

Authentication with Saved Username and Password

Interactive Hardware Client Authentication Individual User Authentication LEAP Bypass

Authenticates the VPN 3002.


Authenticates a user or device on the private LAN behind the VPN 3002.

Authenticates a wireless user or device on the private LAN behind the VPN 3002.

On the VPN 3002, you configure the username and password in either of these screens:

• Configuration | Quick | IPSec

• Configuration | System | Tunneling Protocols | IPSec

You do not configure the username and password on the VPN 3002.


You configure the Aironet Client Utility to use a saved username and password, or to prompt for a username and password each time a client connects. For more information, refer to the Cisco Aironet Wireless LAN Adapters Installation and Configuration Guide.

The VPN 3002 saves the username and password.

The VPN 3002 does not save the username and password.


Requires no user interaction subsequent to initial configuration.

You are prompted to enter a username and password each time the VPN 3002 initiates the tunnel.

You open a web browser and enter a username and password when prompted, even though the tunnel already exists.

You cannot use the command-line interface.

If you use a saved username and password, LEAP requires no user interaction subsequent to initial configuration. Otherwise the Aironet Client Utility prompts you to enter a username and password.

The default option. You enable on the VPN Concentrator. The VPN Concentrator pushes the policy to the VPN 3002.

You enable on the VPN Concentrator. The VPN Concentrator pushes the policy to the VPN 3002.


The VPN 3002 authenticates on the first server of the type that you configure. If the VPN 3002 cannot reach that server, it authenticates on the next server of that type in the list of authentication servers.

Individual users authenticate according to the order of authentication servers configured, regardless of type.

Individual users authenticate to RADIUS servers according to how the authentication servers are configured on the Aironet Access Point.

Individual users can authenticate according to the values of an embedded group rather than the tunnel group. See the section, Configuration | System | General | Global Authentication Parameters of this guide .


78-15731-01

Chapter 13 User ManagementPPTP/L2TP Parameters Tab

PPTP/L2TP Parameters TabThis tab lets you configure PPTP and L2TP parameters that apply to the base group. During tunnel establishment, the client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access. If you checked PPTP, L2TP, or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure these parameters.

Figure 13-8 Configuration | User Management | Base Group Screen, PPTP/L2TP Tab

Use Client Address

Check the Use Client Address check box to accept and use an IP address that the client supplies. A client must have an IP address to function as a tunnel endpoint; but for maximum security, we recommend that you control IP address assignment and that you do not allow client-supplied IP addresses (the default).

Make sure the setting here is consistent with the setting for Use Client Address on the Configuration | System | Address Management | Assignment screen.


78-15731-01


PPTP Authentication Protocols

Check the PPTP Authentication Protocols check boxes for the authentication protocols that PPTP clients can use. To establish and use a VPN tunnel, users should be authenticated in accordance with a protocol.

Caution Unchecking all authentication options means that no authentication is required. That is, PPTP users can connect with no authentication. This configuration is allowed so you can test connections, but it is not secure.

These choices specify the allowable authentication protocols in order from least secure to most secure.

• PAP = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We strongly recommend that you not allow this protocol (the default).

• CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP, but it does not encrypt data. It is allowed by default.

• MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores, and compares, only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption). This protocol is allowed by default. If you check Required under PPTP Encryption, you must allow one or both MSCHAP protocols and no other.

• MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths. This protocol is not allowed by default. The VPN Concentrator internal user authentication server supports this protocol, but external authentication servers do not. If you check Required under PPTP Encryption, you must allow one or both MSCHAP protocols and no other.

• EAP Proxy = Extensible Authentication Protocol, defined in RFC 2284. EAP enables the VPN Concentrator to proxy the entire PPTP/L2TP authentication process to an external RADIUS authentication server. It provides additional authentication options for the Microsoft VPN Client (L2TP/IPSec), including EAP/MD5, Smartcards and certificates (EAP/TLS), and RSA SecurID (EAP/SDI). It requires that you configure an EAP enabled RADIUS server. You cannot configure EAP if you are using encryption. It is configurable at the base group or group levels.


78-15731-01


PPTP Encryption

Check the PPTP Encryption check boxes for the data encryption options that apply to PPTP clients.

• Required = During connection setup, PPTP clients must agree to use Microsoft encryption (MPPE) to encrypt data or they will not be connected. This option is unchecked by default. If you check this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under PPTP Authentication Protocols, and you must also check 40-bit and/or 128-bit here. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.

• Require Stateless = During connection setup, PPTP clients must agree to use stateless encryption to encrypt data or they will not be connected. With stateless encryption, the encryption keys are changed on every packet; otherwise, the keys are changed after some number of packets or whenever a packet is lost. Stateless encryption is more secure, but it requires more processing. However, it might perform better in a lossy environment (where packets are lost), such as the Internet. This option is not checked by default. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.

• 40-bit = PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm. This option is checked by default. If you check Required, you must check this option and/or the 128-bit option.

• 128-bit = PPTP clients are allowed to use the RSA RC4 encryption algorithm with a 128-bit key. Microsoft encryption (MPPE) uses this algorithm. This option is checked by default. If you check Required, you must check this option and/or the 40-bit option. The U.S. government restricts the distribution of 128-bit encryption software.

PPTP Compression

If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Check the box to enable data compression for PPTP. PPTP data compression uses the Microsoft Point to Point Compression (MPPC) protocol.

Note MPPC data compression increases the memory requirement and CPU utilization for each user session. Consequently, using data compression reduces the overall throughput of the VPN Concentrator and lowers the maximum number of sessions your VPN Concentrator can support. We recommend you enable data compression only if every member of the group is a remote user connecting with a modem. If any members of the group connect via broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.

Note PPTP data compression is only supported for clients that use stateless encryption.


78-15731-01


L2TP Authentication Protocols

Check the L2TP Authentication Protocols check boxes for the authentication protocols that L2TP clients can use. To establish and use a VPN tunnel, users should be authenticated in accordance with a protocol.

Caution Unchecking all authentication options means that no authentication is required. That is, L2TP users can connect with no authentication. This configuration is allowed so you can test connections, but it is not secure.


• PAP = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We strongly recommend that you not allow this protocol (the default).

• CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP, but does not encrypt data. It is allowed by default.

• MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption). This protocol is allowed by default. If you check Required under L2TP Encryption, you must allow one or both MSCHAP protocols and no other.

• MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths. This protocol is not allowed by default. The VPN Concentrator internal user authentication server supports this protocol, but external authentication servers do not. If you check Required under L2TP Encryption, you must allow one or both MSCHAP protocols and no other.



78-15731-01


L2TP Encryption

Check the L2TP Encryption check boxes for the data encryption options that apply to L2TP clients.

• Required = During connection setup, L2TP clients must agree to use Microsoft encryption (MPPE) to encrypt data or they will not be connected. This option is unchecked by default. If you check this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under L2TP Authentication Protocols, and you must also check 40-bit and/or 128-bit here. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.

• Require Stateless = During connection setup, L2TP clients must agree to use stateless encryption to encrypt data or they will not be connected. With stateless encryption, the encryption keys are changed on every packet; otherwise, the keys are changed after some number of packets or whenever a packet is lost. Stateless encryption is more secure, but it requires more processing. However, it might perform better in a lossy environment (where packets are lost), such as the Internet. This option is unchecked by default. Do not check this option if you use NT Domain user authentication; NT Domain authentication cannot negotiate encryption.

• 40-bit = L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm. This option is unchecked by default. If you check Required, you must check this option and/or the 128-bit option.

• 128-bit = L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 128-bit key. Microsoft encryption (MPPE) uses this algorithm. This option is unchecked by default. If you check Required, you must check this option and/or the 40-bit option.

L2TP Compression

If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Check the L2TP Compression check box to enable data compression for L2TP. L2TP data compression uses the Microsoft Point to Point Compression (MPPC) protocol.


Note L2TP data compression is only supported for clients that use stateless encryption.


78-15731-01

Chapter 13 User ManagementWebVPN Parameters Tab

Apply / CancelWhen you finish setting base-group parameters on all tabs, click Apply at the bottom of the screen to include your settings in the active configuration. The Manager returns to the Configuration | User Management screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | User Management screen.

WebVPN Parameters TabThis screen lets you configure access to network resources for WebVPN users in the base group. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.

Note To enable WebVPN, you must also check the WebVPN checkbox in the Tunneling Protocols field of the General Tab in the Configuration | User Management | Base Group page.

Note End users need Sun Microsystems Java™ Runtime Environment (version 1.4 or later) installed for file access functionality to work properly.

WebVPN ParametersThese parameters let WebVPN users access network resources.


78-15731-01


Figure 13-9 Configuration | User Management | Base Group | WebVPN Tab

Enable URL Entry

Check this box to place the URL entry box on the home page. If enabled, users can enter web addresses in the URL entry box, and use WebVPN to access those websites.

Be advised that using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user’s PC or workstation and the VPN Concentrator on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate VPN Concentrator to the destination web server is not secured.


78-15731-01


In a WebVPN connection, the VPN Concentrator acts as a proxy between the end user’s web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the VPN Concentrator establishes a secure connection and validates the server’s SSL certificate. The end user’s browser never receives the presented certificate, so therefore cannot examine and validate the certificate.

The current implementation of WebVPN on the VPN Concentrator does not permit communication with sites that present expired certificates. Neither does the VPN Concentrator perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

You may want to limit Internet access for WebVPN users. One way to do this is to uncheck the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.

Enable File Access

Check to enable Windows file access (SMB/CIFS files only) through HTTPS. When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Configuration | Tunneling and Security | WebVPN | WebVPN Servers and URLs | Add/Modify pages. To let users access servers directly or to browse servers on the network, see the Enable File Server Entry and Enable File Server Browsing parameters.

Users can download, edit, delete, rename, and move files. They can also add files and folders.

Remember that shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing files, according to network requirements.

File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the VPN Concentrator, or reachable from that network. The WINS server or master browser provides the VPN Concentrator with an list of the resources on the network. You cannot use a DNS server instead. Configure WINS servers in the Configuration | System | Servers | NBNS screen.

Note File access is not supported in an Active Native Directory environment when used with Dynamic DNS. It is supported if used with a WINS server.

Enable File Server Entry

Check to place the file server entry box on the portal page. File Access (above) must be enabled.

With this box checked, users can enter pathnames to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders.

Again, shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing files, according to network requirements.

Enable File Server Browsing

Check to let users browse the Windows network for domains/workgroups, servers and shares. File Access (above) must be enabled.

With this box checked, users can select domains and workgroups, and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.


78-15731-01


Enable Port Forwarding

WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application.

Cisco has tested the following applications:

• Windows Terminal Services

• Telnet

• Secure FTP (FTP over SSH)

• Perforce

• Outlook Express

• Lotus Notes

Other TCP-based applications may also work, but Cisco has not tested them.

Note Port Forwarding does not work with some SSL/TLS versions. See Configuration | Tunneling and Security | SSL | Encryption | SSL Version field for more information.

With this box checked users can access client/server applications by mapping TCP ports on the local and remote systems. Configure the TCP ports in the Configuration | Tunneling and Security | WebVPN | Port Forwarding screen.

You configure specific TCP ports for application access for the base group in the Configuration | Tunneling and Security | WebVPN | Port Forwarding screen.

Note When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA cannot access the web browser’s keystore; therefore JAVA cannot use the certificates that the browser uses for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.

Apply ACL

Check to apply the WebVPN Access Control List defined for the users of this group.

Port Forwarding Name

This is a name for you to identify port forwarding to end users. The name you configure displays in the end user interface as a hotlink. When users click this link, Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users.

Content Filter ParametersThese parameters let you block or remove the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs.


78-15731-01


Filter Java/Active X

Check to remove <applet>, <embed> and <object> tags from HTML.

Filter Scripts

Check to remove <script> tags from HTML.

Filter Images

Check to remove <img> tags from HTML. Removing images speeds the delivery of web pages dramatically.

Filter Cookies from Images

Check to remove cookies that are delivered with images. This may preserve user privacy, because advertisers use cookies to track visitors.

WebVPN ACLsYou can configure WebVPN ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

• If you do not define any filters, all connections are permitted.

• If you configure a permit filter, the default action is to deny connections other than what the filter defines.

Tip After you construct WebVPN ACLs, be sure to check the Apply ACL box further up on the screen.

ACL Syntax

An ACL can have up to 255 characters.

The broad syntax for ACLs is <action> <protocol> <keyword> <source> <destination>

The specific syntax for protocol filters and for URL filters follows. Descriptions of each field are after the examples.

Note ACLs with syntax errors result in no filtering because the Manager cannot recognize them as ACLs.

Protocol ACL Syntax

The syntax for WebVPN protocol filters is:

<permit/deny> <protocol> <Source> <Destination>

Example: permit ip any 10.86.9.0 0.0.0.255

Example: deny ip any host 10.86.9.22


78-15731-01


URL ACL Syntax

The syntax for WebVPN URL filters is: <permit/deny> url <URL definition>

Example: deny url http://www.anyurl.com

Field Description

Action Action to perform if rule matches: deny, permit.

Protocol WebVPN protocols include ip, smtp, pop3, and imap4, http, https, and cifs.

Required Keywords For Protocol ACLs: host - only when using IP address alone (without wildcard mask) for a destination ID

For URL ACLs: url

Source Network or host from which the packet is sent, specified as an IP address and wildcard mask, or the hostname, or any. The most common source is any, which means, literally, that the source can be any host.

Destination Network or host to which the packet is sent, specified as one of the following:

• hostname

• IP address and wildcard mask, for example, 10.86.9.0 0.0.0.255

• host and IP address, for example, host 10.86.9.22

URL Definition The complete address of the http or https web server or the cifs, imap4s, pop3s or smtps server.


78-15731-01


Add or Apply / CancelWhen you finish setting or changing parameters on all tabs, click Add or Apply at the bottom of the screen to Add this specific group to the list of configured groups, or to Apply your changes. Both actions include your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen. Any new groups appear in alphabetical order in the Current Groups list.

Reminder:


To discard your settings, click the Cancel button. The Manager returns to the Configuration | User Management | Groups screen, and the Current Groups list is unchanged.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups

Configuration | User Management | GroupsThis section of the Manager lets you configure access and usage parameters for specific groups. A group is a collection of users treated as a single entity. Groups inherit parameters from the base group.

For information on groups and users, see the section: User Management

Configuring internal groups in this section means configuring them on the VPN Concentrator internal authentication server. The system automatically configures the internal server when you add the first internal group.

Configuring external groups means configuring them on an external authentication server such as RADIUS.

Note If a RADIUS server is configured to return the Class attribute (#25), the VPN Concentrator uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the VPN Concentrator. For example:OU=Finance;

Note If you are using an external authentication server, keep in mind that usernames and group names must be unique. When naming a group, do not pick a name that matches the name of any external user; and conversely, when assigning a name to an external user, do not choose the name of any existing group.

Figure 13-10 Configuration | User Management | Groups Screen


78-15731-01


ActionsUse the Actions buttons to add, modify, or delete groups.


Add Group

To configure and add a new group, click Add Group. The Manager opens the Configuration | User Management | Groups | Add screen.

Modify Group

To modify parameters for a group that has been configured, select the group from the list and click Modify Group. The Manager opens the appropriate internal or external Configuration | User Management | Groups | Modify screen.

Delete Group

To remove a group that has been configured, select the group from the list and click Delete Group.

Note There is no confirmation or undo. However, deleting a group that has certificate group matching rules defined for it also deletes these rules. In this case, the VPN Concentrator displays a warning message asking you to confirm that you really want to delete the group.

The Manager refreshes the screen and shows the remaining groups in the list. When you delete a group, all its members revert to the base group. Deleting a group, however, does not delete the user profiles of the members.

You cannot delete a group that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.

Current GroupsThe Current Groups list shows configured groups in alphabetical order, and if they are internal or external. If no groups have been configured, the list shows --Empty--.

ModifyUse the Modify buttons to add, modify or delete the following parameters associated with this group: authentication servers, authorization servers, accounting servers, address pools, client update, bandwidth assignment, WebVPN servers and URLs, and WebVPN port forwarding.


78-15731-01


Authentication Servers

To modify authentication server parameters, select the group from the list and click Authentication Servers. The Manager opens the Configuration | User Management | Groups | Authentication Servers screen.

Authorization Servers

To modify authorization server parameters, select the group from the list and click Authorization Servers. The Manager opens the Configuration | User Management | Groups | Authorization Servers screen.

Accounting Servers

To modify accounting server parameters, select the group from the list and click Accounting Servers. The Manager opens the Configuration | User Management | Groups | Accounting Servers screen.

Address Pools

To modify address pools, select the group from the list and click Address Pools. The Manager opens the Configuration | User Management | Groups | Address Pools screen.

Client Update

To modify client update entries, select the group from the list and click Client Update. The Manager opens the Configuration | User Management | Groups | Client Update screen.

Bandwidth Assignment

To assign a bandwidth management policy, select the group from the list and click Bandwidth Assignment. The Manager opens the Configuration | User Management | Groups | Bandwidth Policy screen.

WebVPN Servers and URLs

To configure access to specific servers and URLs, select the group from the list and click WebVPN Servers and URLs. The Manager opens the Configuration | User Management | Groups | WebVPN Servers and URLs screen.

WebVPN Port Forwarding

To configure access to applications, select the group from the list and click WebVPN Port Forwarding. The Manager opens the Configuration | User Management | Groups |WebVPN Port Forwarding screen.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Add or Modify (Internal)

Configuration | User Management | Groups | Add or Modify (Internal)


• Add: Configure and add a new group.

• Modify: Change parameters for a group that you have previously configured on the internal server. The screen title identifies the group you are modifying.

For many of these parameters, you can simply specify that the group “inherit” parameters from the base group, which you should configure first. You can also override the base-group parameters as you configure groups. See the Configuration | User Management | Base Group screen.

On this screen, you configure the following kinds of parameters:

• Identity Parameters: Name, password, and type.

• General Parameters: Security, access, performance, and protocols.


• Mode Config Parameters: Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers.

• Client FW Parameters: VPN Client personal firewall requirements.

• HW Client Parameters: Interactive hardware client authentication and individual user authentication.


• WebVPN: SSL VPN access

Using the TabsThis screen includes four tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Add/Apply or Cancel.


78-15731-01

Chapter 13 User ManagementIdentity Parameters Tab

Identity Parameters TabThis tab lets you configure the name, password, and authentication server type for this group.

Figure 13-11 Configuration | User Management | Groups | Add or Modify (Internal) Screen, Identity Tab

Group Name

Enter a unique name for this specific group. The name cannot match any existing user or group name. (If you are using an external authentication server, see the note about naming on page 13-61.)

The maximum name length is 64 characters. Entries are case-sensitive. Changing a group name automatically updates the group name for all users in the group.

If you are setting up a group for remote access users connecting with digital certificates, first find out the value of the Organizational Unit (OU) field of the user’s identity certificate. (Ask your certificate administrator for this information.) The group name you assign must match this value exactly. If some users in the group have different OU values, set up a different group for each of these users.

If the Group Name field configured here and the OU field of the user’s identity certificate do not match, when the user attempts to connect, the VPN Concentrator considers the user to be a member of the base group. The base group parameter definitions might be configured differently than the user wants or expects. If the base group does not support digital certificates, the connection fails.

See the note about configuring the RADIUS Class attribute under “Configuration | User Management | Groups”.

Password

Enter a unique password for this group. The minimum password length is 4 characters. The maximum is 32 characters. Entries are case-sensitive. The field displays only asterisks.


78-15731-01


Verify

Re-enter the group password to verify it. The field displays only asterisks.

Type

Click the Type drop-down menu button and select the authentication server type (authentication method) for this group:

• Internal = Use the internal VPN Concentrator authentication server. This is the default selection. If you select this type, configure the parameters on the other tabs on this screen. The VPN Concentrator automatically configures its internal server when you add the first internal group.

• External = Use an external authentication server, such as RADIUS, for this group. If you select this type, ignore the rest of the tabs and parameters on this screen. The external server supplies the group parameters if it can; otherwise the base-group parameters apply.


78-15731-01


General Parameters TabThis tab lets you configure general security, access, performance, and tunneling protocol parameters that apply to this internally configured group.

Figure 13-12 Configuration | User Management | Groups | Add or Modify (Internal) Screen, General Tab


78-15731-01


Value / Inherit?On this tabbed section:

• The Inherit? check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, uncheck the check box. If you uncheck the check box, you must also enter or change any corresponding Value field; do not leave the field blank.

• The Value column thus shows either base-group parameter settings that also apply to this group (Inherit? checked), or unique parameter settings configured for this group (Inherit? cleared).

Note The setting of the Inherit? check box takes priority over an entry in a Value field. Examine this box before continuing and be sure its setting reflects your intent.

Access Hours

Click the Access Hours drop-down menu button and select the named hours when this group’s remote-access users can access the VPN Concentrator. Configure access hours on the Configuration | Policy Management | Access Hours screen. Default entries are:

• -No Restrictions- = No named access hours applied, which means that there are no restrictions on access hours.




Simultaneous Logins

Enter the number of simultaneous logins permitted for a single internal user in this group. The minimum is 0, which disables login and prevents user access. While there is no maximum limit, allowing several could compromise security and affect performance.

Minimum Password Length

Enter the minimum number of characters for this group’s user passwords. The minimum is 1, and the maximum is 32. To protect security, we strongly recommend 8 or higher.


78-15731-01


Allow Alphabetic-Only Passwords

Check the Allow Alphabetic-Only Passwords check box to allow this group’s user passwords with alphabetic characters only. This option applies only to users who are configured in and authenticated by the VPN Concentrator internal authentication server. To protect security, we strongly recommend that you not allow such passwords. Require passwords to be a mix of alphabetic characters, numbers, and symbols, such as 648e&9G#.

Idle Timeout

Enter the group’s idle timeout period in minutes. If there is no communication activity on a user connection in this period, the system terminates the connection. The minimum is 1, and the maximum is 10080 minutes. To disable timeout and allow an unlimited idle period, enter 0.


We recommend that you set a short idle-timeout value for WebVPN users. When a browser is set to disable cookies, or prompts for cookies but denies them, users do not connect, but they still appear in the Administration | Administer Sessions | RAS database. If Simultaneous Logins (Configuration | User Management | Base Group/Groups) is set to one, the user cannot log in again because the maximum number of connections already exists. If you set a low idle timeout for WebVPN users, these cookies are deleted quickly, letting a user reconnect.


Enter the group’s maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, enter 0.

Filter


Click the Filter drop-down menu button and select the filter to apply to this group’s users:

• --None-- = No filter applied, which means there are no restrictions on tunneled data traffic.






78-15731-01

















78-15731-01


Note on DNS and WINS Entries:

If the base group uses DNS or WINS, and:

• this group uses the base-group setting: check the appropriate Inherit? box (the default).

• this group uses different DNS or WINS servers: uncheck the appropriate Inherit? check box and enter this group’s server IP address(es).

• this group does not use DNS or WINS: uncheck the appropriate Inherit? check box and enter 0.0.0.0 in the IP address field.

If the base group does not use DNS or WINS, and:

• this group also does not use DNS or WINS: check the appropriate Inherit? check box (the default).

• this group uses DNS or WINS: uncheck the appropriate Inherit? check box and enter this group’s server IP address(es).

Note WebVPN users get their DNS information from the DNS servers you configure globally in the Configuration | System | Servers | DNS screen. They do not get DNS information from the Base Group or Group settings.

Primary DNS

Enter the IP address, in dotted decimal notation, of the primary DNS server for this group’s users. The system sends this address to the client as the first DNS server to use for resolving host names. See the preceding note.

Secondary DNS

Enter the IP address, in dotted decimal notation, of the secondary DNS server for this group’s users. The system sends this address to the client as the second DNS server to use for resolving host names. See the preceding note.

Primary WINS

Enter the IP address, in dotted decimal notation, of the primary WINS server for this group’s users. The system sends this address to the client as the first WINS server to use for resolving host names under Windows NT. See the preceding note.

Secondary WINS

Enter the IP address, in dotted decimal notation, of the secondary WINS server for this group’s users. The system sends this address to the client as the second WINS server to use for resolving host names under Windows NT. See the preceding note.

SEP Card Assignment



78-15731-01


Check the SEP Card Assignment check box to assign this user to a given SEP or SEP-E module. If your system does not have a given SEP or SEP-E module, the parameter is ignored.


78-15731-01


Tunneling Protocols

Check the desired Tunneling Protocols check boxes to select the VPN tunneling protocols that this group’s user clients can use. Configure parameters on the IPSec or PPTP/L2TP tabs as appropriate. Clients can use only the selected protocols.

You cannot check both IPSec and L2TP over IPsec. The IPSec parameters differ for these two protocols, and you cannot configure a single group for both.

• PPTP = Point-to-Point Tunneling Protocol. PPTP is a client-server protocol, and it is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0 and Windows 2000.

• L2TP = Layer 2 Tunneling Protocol. L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding).

• IPSec = IP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN Client is an IPSec client specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.

• L2TP over IPSec = L2TP using IPSec for security. L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer for security. L2TP over IPSec is a client-server protocol that provides interoperability with the Windows 2000 VPN client. It is also compliant, but not officially supported, with other remote-access clients.


Note If no protocol is selected, none of the client users in this group can access or use the VPN.

Strip Realm

Check the Strip Realm check box to remove the realm qualifier of the username during authentication. If you check this Strip Realm box, authentication is based on the username alone. Otherwise, authentication is based on the full username<delimiter>realm string. You must check this box if your server is unable to parse delimiters.

Note If you are using the Group Lookup feature and Strip Realm, do not use the @ character for the group delimiter. See the section, “Configuration | System | General | Global Authentication Parameters,” of this guide for a full explanation of how the VPN Concentrator interprets delimiters with respect to realms and groups.

DHCP Network Scope

To use this feature, the VPN Concentrator must be using a DHCP server for address assignment. To configure a DHCP server, see the Configuration | System | Servers | DHCP screen.


78-15731-01


Enter the IP sub-network that the DHCP server should assign to users in this group, for example: 200.0.0.0. The DHCP Network Scope indicates to the DHCP server the range of IP addresses from which to assign addresses to users in this group.

Enter 0.0.0.0 for the default; by default, the DHCP server assigns addresses to the IP sub-network of the VPN Concentrator’s private interface.

IPSec Parameters TabThis tab lets you configure IP Security Protocol parameters that apply to this internally configured group.

Four parameters on this tab apply to WebVPN users in the group: Authentication, Authorization Type, Authorization Required, and DN field.


78-15731-01


Figure 13-13 Configuration | User Management | Groups | Add or Modify (Internal) Screen, IPSec Tab


78-15731-01






IPSec SA

Click the IPSec SA drop-down menu button and select the IPSec Security Association (SA) assigned to this group’s IPSec clients. During tunnel establishment, the client and server negotiate a Security Association that governs authentication, encryption, encapsulation, key management, etc. You configure IPSec Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.

To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections, the system ignores this selection and uses parameters from the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens.


• --None-- = No SA assigned.


• ESP-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.






78-15731-01





IKE Peer Identity Validation

Click the IKE Peer Identity Validation drop-down menu button, and choose the type of peer identity validation.

Note This option applies only to tunnel negotiations based on certificates.

During IKE tunnel establishment, the peer provides its identity: either an IP address, a fully qualified domain name (FQDN), or a distinguished name (DN). It also presents a certificate, which contains none, some, or all of these fields. If IKE peer identity validation is enabled, the VPN Concentrator compares the peer’s identity to the like field in the certificate to see if the information matches. If the information matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the information does not match, the VPN Concentrator drops the tunnel. This feature provides additional security.

IKE peer identity validation can be useful for binding a peer to a particular IP address or domain name. For example, if the IP address that the peer provided as an identification during tunnel establishment does not match the IP address in its certificate, the VPN Concentrator fails to validate the peer and drops the tunnel.

Ideally all VPN Concentrator peers are configured to provide matching types of identity and certificate fields. In this case, enabling peer identity validation ensures that the VPN Concentrator checks the validity of every peer, and only validated peers connect. But in actuality, some peers might not be configured to provide this data. Some peers might provide certificates that do not contain any of the matching fields required for an identity check. If a peer does not provide sufficient information for the VPN Concentrator to check its identity, there are two possibilities: the VPN Concentrator either establishes the session or drops it. If you want the VPN Concentrator to drop sessions of peers that do not provide sufficient information to perform an identity check, choose Required. If you want the VPN Concentrator to establish sessions for peers that do not provide sufficient identity information to perform a check, select If supported by Certificate.

• Required = Enable the IKE peer identity validation feature. If a peer’s certificate does not provide sufficient information to perform an identity check, drop the tunnel.

• If supported by certificate = Enable the IKE peer identity validation feature. If a peer’s certificate does not provide sufficient information to perform an identity check, allow the tunnel.

• Do not check = Do not check the peer’s identity at all. Selecting this option disables the feature.


78-15731-01


IKE Keepalives

Check the IKE Keepalives check box to enable IKE keepalives. (IKE keepalives is enabled by default.) This feature lets the VPN Concentrator monitor the continued presence of a remote peer and to report its own presence to that peer. If the peer becomes unresponsive, the VPN Concentrator removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.

There are various forms of IKE keepalives. For this feature to work, both the VPN Concentrator and its remote peer must support a common form. This feature works with the following peers:

• Cisco VPN Client (Release 3.0 or later)

• Cisco VPN 3000 Client (Release 2.x)


• Cisco VPN 3000 Series Concentrators

• Cisco IOS software

• Cisco Secure PIX Firewall

Non-Cisco VPN clients do not support IKE keepalives.

If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.

If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend you keep your idle timeout short. To change your idle timeout, see the Configuration | User Management | Groups | Add screen, General tab.

Note To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalives mechanism prevents connections from idling and therefore from disconnecting.

If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.

Note If you have a LAN-to-LAN configuration using IKE main mode, make sure the two peers have the same IKE keepalives configuration: both must have IKE keepalives enabled or both must have it disabled.

Confidence Interval

This field applies only to Easy VPN compliant clients that are using IKE Keepalives. Easy VPN compliant clients are:


• Cisco Easy VPN Client for IOS Routers

• PIX 501/506 Easy VPN Remote Hardware Client

Enter the number of seconds the VPN Concentrator should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a LAN-to-LAN group is 10 seconds. The default for a remote access group is 300 seconds.


78-15731-01


Tunnel Type

Click the Tunnel Type drop-down menu button and select the type of IPSec tunnel that this group’s clients use:

• LAN-to-LAN = IPSec LAN-to-LAN connections between two VPN Concentrators (or between a VPN Concentrator and another protocol-compliant security gateway). See Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN. If you select this type, ignore the rest of the parameters on this tab.

• Remote Access = Remote IPSec client connections to the VPN Concentrator. If you select this type, configure Remote Access Parameters.

Remote Access Parameters

These group parameters apply to remote-access IPSec client connections only. If you select Remote Access for Tunnel Type, configure these parameters.

Group Lock

Check the Group Lock check box to restrict users to remote access through this group only. Group Lock restricts users by checking if the group configured in the VPN client is the same as the user’s assigned group. If it is not, the VPN Concentrator prevents the user from connecting.

If this box is unchecked (the default), the system authenticates a user without regard to the user’s assigned group.

Authentication

Whenever a VPN software or VPN 3002 hardware client attempts a tunneled connection to a network behind a VPN Concentrator, that client is authenticated by means of a username and password. This authentication occurs when the tunnel initiates, and is the authentication type for interactive hardware client authentication for the VPN 3002. This parameter does not apply to individual user authentication for the VPN 3002.

Click the Authentication drop-down menu button and select the user authentication method (authentication server type) to use with this group’s remote-access IPSec clients. Both VPN Clients and VPN 3002 hardware clients authenticate on the first server of the type you configure.

This selection identifies the authentication method, not the specific server. Configure authentication servers on the Configuration | System | Servers | Authentication screens or Configuration | User Management | Groups | Authentication Servers screens.

For the VPN 3002, this selection applies to authentication using a saved username and password and to interactive hardware client authentication. Individual users behind the VPN 3002 authenticate according to the priority order of all authentication servers configured, regardless of type. For more information on the different ways in which a VPN 3002 can authenticate, see the section, “HW Client Parameters Tab.”

WebVPN users authenticating with digital certificates use an authorization server for authentication. For these users, set the value in this Authentication field to None.


78-15731-01


Note To configure user-based authentication for Cisco VPN Clients, choose an Authentication option, then follow the additional steps outlined under Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add, Modify, or Copy. You do this in all cases, regardless of whether you enable interactive hardware client authentication or individual user authentication.

Selecting any authentication method (other than None) enables ISAKMP Extended Authentication, also known as XAUTH.

• None = No IPSec user authentication method.

– If you checked L2TP over IPSec under Tunneling Protocols, use this selection.

– If WebVPN users in the base group authenticate with digital certificates, select None in this screen because these users authenticate using an Authorization server.

• RADIUS = Authenticate users via external RADIUS server.

• RADIUS with Expiry = Authenticate users via external RADIUS server. If the password has expired, notify the user and offer the opportunity to create a new password.

• NT Domain = Authenticate users via external Windows NT Domain system.

• SDI = Authenticate users via external RSA Security Inc. SecureID system.

• Kerberos/Active Directory = Authenticate users via an external Windows/Active Directory or a UNIX/Linux Kerberos server.

• Internal = Authenticate users via internal VPN Concentrator authentication server.

Authorization Type

This field applies to IPSec users and to WebVPN users that authenticate with digital certificates. These WebVPN users use an Authorization server for authentication.

Select an authorization type.

• None = Do not authorize users in this group.

• RADIUS = Use an external RADIUS authorization server to authorize users in this group.

• LDAP = Use an external LDAP authorization server to authorize users in this group.

Authorization Required

If you are using authorization, you can make it mandatory or optional. Check the Authorization Required check box if you want to require users to authorize successfully to connect. If authorization fails for any reason (including the user’s inability to access the authorization server), the connection fails.

If you do not want a connection to depend on authorization, make authorization optional. To make authorization optional, uncheck the Authorization Required check box. In this case, if authorization fails, the VPN Concentrator notes the failure in the log and allows the connection to continue.

Check this box for WebVPN users that authenticate with digital certificates.


78-15731-01


DN Field

If IPSec or WebVPN users in this group are authenticating by means of digital certificates and require LDAP or RADIUS authorization, choose a field from the certificate to identify the user to the authorization server.

For example, if you choose E-mail Address, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an email address of [email protected] cannot authenticate as John Doe or as johndoe. He must authenticate as [email protected].

• CN otherwise OU = If there is a CN field in the certificate, use the CN field for user authorization. If there is not a CN field in the certificate, use the OU field.

• Common Name (CN)

• Surname (SN)

• Country (C)

• Locality (L)

• State/Province (SP)

• Organization (O)

• Organizational Unit (OU)

• Title (T)

• Name (N)

• Given Name (GN)

• Initials (I)

• E-mail Address (EA)

• Generational Qualifier (GENQ)

• DN Qualifier (DNQ)

• Serial Number (SER)

• All the DN Fields

IPComp

If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Click the IPComp drop-down menu button to enable data compression using IPComp.

• None = No data compression.

• LZS = Enable data compression using the LZS compression algorithm.

Note Data compression increases the memory requirement and CPU utilization for each user session and consequently decreases the overall throughput of the VPN Concentrator. For this reason, we recommend you enable data compression only if every member of the group is a remote user connecting with a modem. If any members of the group connect via broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.


78-15731-01


Reauthentication on Rekey

Check the Reauthentication on Rekey check box to enable reauthentication, or uncheck the box to disable it.

If you have enabled the Reauthentication on Rekey feature, the VPN Concentrator prompts the user to enter an ID and password during Phase 1 IKE negotiation and also prompts for user authentication whenever a rekey occurs. Reauthentication provides additional security.

If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. In this case, disable reauthentication. To check your VPN Concentrator’s configured rekey interval, see the Lifetime Measurement, Data Lifetime, and Time Lifetime fields on the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals | Add or Modify screen.

Note At 85% of the rekey interval, the Cisco VPN Client prompts the user to reauthenticate. If the user does not respond within approximately 90 seconds, the VPN Concentrator drops the connection.

Client Type & Version Limiting

Construct rules to permit or deny VPN Clients according to their type and software version. Construct these rules exactly, using the formats, abbreviations, and other rule specifications defined below.

• Construct rules in the format p[ermit]/d[eny] <type> : <version>, for example, d VPN 3002 : 3.6* .

• The * character is a wildcard. You can use it multiple times in each rule. For example: deny *:3.6* = Deny all clients running software version 3.6x.

• Use a separate line for each rule.

• Order rules by priority.

– If you do not define any rules, all connections are permitted.

– The first rule that matches is the rule that applies. If a later rule contradicts, the system ignores it.

• When a client matches none of the rules, the connection is denied. This means that if you define a deny rule, you must also define at least one permit rule, or all connections are denied.

• For both software and hardware clients, client type and software version must match (case insensitive) their appearance in the Monitoring | Sessions screen, including spaces. We recommend that you copy and paste from that screen to this one.

• Use "n/a" for either the type or the version to identify information the client does not send. For example: permit n/a:n/a = Permit any client that does not send the client type and version.

• You can use a total of 255 characters for rules. The newline between rules uses two characters. To conserve characters:

– Use p for permit, d for deny

– Eliminate spaces except as required for client type and version. You do not need a space before or after the colon (:).


78-15731-01


Mode Configuration

Check the Mode Configuration check box to use Mode Configuration with this group’s IPSec clients (also known as the ISAKMP Configuration Method or Configuration Transaction). This option exchanges configuration parameters with the client while negotiating Security Associations. If you check this box, configure the desired Mode Configuration Parameters; otherwise, ignore them.

To use split tunneling, you must check this box.

If you checked L2TP over IPSec under Tunneling Protocols, do not check this box.

Note IPSec uses Mode Configuration to pass all configuration parameters to a client: IP address, DNS and WINS addresses, etc. You must check this box to use Mode Configuration. Otherwise, those parameters—even if configured with entries—are not passed to the client.

Note The Cisco VPN Client (IPSec client) supports Mode Configuration, but other IPSec clients might not. For example, the Microsoft Windows 2000 IPSec client does not support Mode Configuration. (The Windows 2000 client uses the PPP layer above L2TP to receive its IP address from the VPN Concentrator.) Determine compatibility before using this option with other vendors’ clients.

Client Configuration Parameters TabThese parameters apply to this group’s IPSec clients. It has three sections: one for parameters specific to Cisco clients, one for Microsoft clients, and a third for common client parameters.


78-15731-01


Figure 13-14 Configuration | User Management | Groups | Add or Modify, Client Configuration Tab


78-15731-01


Banner

Enter the banner, or welcome text, that this group’s IPSec clients see when they log in. The maximum length is 510 characters. You can only use ASCII characters, including new line (the Enter key, which counts as two characters).

You can display a banner to VPN Clients, WebVPN users, and on VPN 3002 hardware clients that are configured for individual user authentication.

Allow Password Storage on Client

Check the Allow Password Storage on Client check box to allow this group’s IPSec clients to store their login passwords on their local client systems. If you do not allow password storage, IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage.


IPSec over UDP

Check the IPSec over UDP check box to allow the Cisco VPN Client (IPSec client) or VPN 3002 to connect to the VPN Concentrator via UDP through a firewall or router using NAT.

IPSec over UDP Port

Enter the UDP port number to use if you allow IPSec over UDP. Enter a number in the range 4001 through 49151. The default value is 10000.

See the discussion About IPSec over UDP under Configuration | User Management | Base Group.

IPSec Backup ServersIPSec backup servers enable a VPN 3002 Hardware Client to connect to the central site when its primary central-site VPN Concentrator is unavailable. You configure backup servers for a VPN 3002, either on the VPN 3002 or on a group basis at the central-site Concentrator. If you configure backup servers on the central-site VPN Concentrator, that VPN Concentrator pushes the backup server policy to the VPN 3002 hardware clients in the group. The default policy is to use the backup server list configured on the VPN 3002.

Alternatively, the VPN Concentrator can push a policy that supplies a list of backup servers in order of priority (replacing the backup server list on the VPN 3002 if one is configured), or it can disable the feature and clear the backup server list on the VPN 3002.

See the “IPSec Backup Servers” of this chapter for an illustrated explanation of how the backup server feature works.

Note The group name, username, and passwords that you configure for the VPN 3002 must be identical for the primary VPN Concentrator and all backup servers. Also, if you require interactive hardware client authentication and/or individual user authentication for the VPN 3002, be sure to configure it on backup servers as well. See the HW Client Parameters Tab for more information.


78-15731-01


Configuring Backup Servers on the Central-Site VPN Concentrator

To configure backup servers on the primary central-site VPN Concentrator, accept the default. Use the list below in the IPSec Backup Servers drop down menu.

Enter either the IP addresses or the hostnames of the VPN Concentrators that are to be backup servers. The IP address is the IP address of the VPN Concentrator public interface.

Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a VPN 3002 obtain DNS and WINS information from the VPN 3002 through DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. Further, if you use hostnames and the DNS server is unavailable, significant delays can occur.

You can enter up to 10 backup servers, in order of highest to lowest priority. Enter each backup server on a single line, using the Enter or Return key for each new line.

Should there be a backup server list already configured on the client, this list on the central-site VPN Concentrator replaces it, and becomes the list of backup servers on the client.

If you change the configuration of backup servers, or delete a backup server during an active session between a client and a backup server, the session continues without adopting that change. New settings take effect in the next new session.

Configuring Backup Servers from the VPN 3002

To configure backup servers on the VPN 3002, accept the default, Use client configured list in the IPSec Backup Servers drop-down menu. You then configure backup servers in the VPN 3002 Configuration | System | Tunneling Protocols | IPSec screen. Refer to the Tunneling chapter in the VPN 3002 Hardware Client User Reference for instructions.

Configuring Backup Servers from the Cisco VPN Client

To configure backup servers on the Cisco VPN Client, check the Enable backup server(s) check box on the Properties > Connections tab. Click Add, then enter the hostname or IP address of the backup server(s). Refer to the VPN Client User Guide for more information.

Disabling Backup Servers

To disable the backup server feature, select Disable and clear client configured list in the IPSec Backup Servers drop-down menu. If you disable the feature from the primary VPN Concentrator, the feature is disabled and the list of backup servers configured on the client, if there is one, is cleared.


78-15731-01


Intercept DHCP Configure Message

DHCP Intercept lets Microsoft XP clients implement split-tunneling with a VPN Concentrator. The VPN Concentrator replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. This is useful in environments in which using a DHCP server is not advantageous.

Note A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. The VPN Concentrator limits the number of routes it sends to 27-40 routes, with the number of routes dependent on the classes of the routes, to avoid this problem.

Check the box to enable DHCP Intercept.

Subnet Mask

Enter the subnet mask for clients requesting Microsoft DHCP options.

Note To implement split tunneling for Microsoft XP clients, you must also configure network lists and default domain names in the Common Client Parameters section of this screen.

Split Tunneling Policy

Split tunneling lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form. Packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. Split tunneling thus eases the processing load, simplifies traffic management, and speeds up untunneled traffic.

Note If you enable both split tunneling and individual user authentication for a VPN 3002, users must authenticate only when sending traffic bound for destinations on the other side of the IPSec tunnel.

Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling. However, since only the VPN Concentrator—and not the IPSec client—can enable split tunneling, you can control implementation here and thus protect security. Split tunneling is disabled by default on both the VPN Concentrator and the client. You enable and configure the feature on the VPN Concentrator, and then the VPN Concentrator uses Mode Configuration to push it to, and enable it on, the IPSec client.

Split tunneling applies only to single-user remote-access IPSec tunnels, not to LAN-to-LAN connections.

The default split tunneling policy is Tunnel Everything. Tunnel Everything disables split tunneling. When Tunnel Everything is configured, all traffic from remote clients in this group travels over the secure IPSec tunnel in encrypted form. No traffic goes in the clear or to any other destination than the VPN Concentrator. Remote users in this group reach internet networks through the corporate network and do not have access to local networks.


78-15731-01


If users in this group need access to local networks, choose Allow Networks in List to Bypass Tunnel. This option allows you to define a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel.

To configure the Allow Networks in List to Bypass Tunnel option, choose VPN Client Local LAN from the Split Tunnel Network List menu. The VPN Client Local LAN option allows all users in the group to access all devices on their local networks. If you want to restrict users’ access to particular devices on their local network, you need to know the addresses of the local devices the remote users in this group want to access. Create a network list of these addresses, then choose that network list from the Split Tunneling Network List menu. You can apply only one network list to a group, but one network list can contain up to 10 network entries. (See the Configuration | Policy Management | Traffic Management | Network Lists screens for more information on creating network lists.) You also must enable Local LAN Access on the VPN Client. See the VPN Client Administrator Guide for more details.

Note The Allow Networks in List to Bypass Tunnel option allows remote users to access only devices that are located on the same network interface as the tunnel. If a remote user’s local LAN is located on a different network interface than the tunnel, the user cannot access it.

To allow remote users to access internet networks without tunneling through the corporate network, enable split tunneling. To enable split tunneling, choose Only Tunnel Networks in List. To configure this option, create a network list of addresses to tunnel. Then select this network list from the Split Tunneling Network List menu. Data to all other addresses is sent in the clear and routed by the remote user’s internet service provider.

We recommend that you keep the base-group default, and that you enable and configure the split tunneling policy selectively for each group.

• Tunnel everything = Send all data via the secure IPSec tunnel.

• Allow networks in list to bypass the tunnel = Send all data via the secure IPSec tunnel except for data to addresses on the network list. The purpose of this option is to allow users who are tunneling all traffic to access devices such as printers on their local networks.

• Only tunnel networks in list = Send data to addresses on the network list via secure IPSec tunnel. Data bound for any other address goes in the clear. The purpose of this option is to allow remote users to access internet networks without requiring them to be tunneled through the corporate network.

Split Tunneling Network List

Click the drop-down menu button and select the split tunneling address list to use with this group’s remote-access IPSec clients.

Both the Allow Networks in List to Bypass Tunnel option and the Only Tunnel Networks in List option make split tunneling decisions on the basis of a network list, which is a list of addresses on the private network. But the network list functions differently in each configuration.

In an Allow Networks in List to Bypass Tunnel configuration, The IPSec client uses the network list as an exclusion list: a list of addresses to which traffic should be sent in the clear. All other traffic is routed over the IPSec tunnel.


78-15731-01


In an Only Tunnel Networks in List configuration, the IPSec client uses the network list as an inclusion list: a list of networks for which traffic should be sent over the IPSec tunnel. The IPSec client establishes an IPSec Security Association (SA) for each network specified in the list. Outbound packets with destination addresses that match one of the SAs are sent over the tunnel; everything else is sent as clear text to the locally connected network.

• None = No network address lists are configured.

• VPN Client Local LAN (default) = All addresses on the client’s local network. The VPN Client Local LAN network list is a wildcard value that represents the client’s local network. It corresponds to the address 0.0.0.0/0.0.0.0, which represents the IP address of the client’s network card on which the tunnel is established. This option is the default associated with Allow Networks in List to Bypass Tunnel. It does not apply to the Only Tunnel Networks in List option.

Default Domain Name

Enter the default domain name that the VPN Concentrator passes to the IPSec client, for the client’s TCP/IP stack to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. For example, if this entry is xyzcorp.com, a DNS query for mail becomes mail.xyzcorp.com. The maximum name length is 255 characters. The Manager checks the domain name for valid syntax.

Split DNS Names

Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names, while ISP-assigned DNS servers resolve all other DNS requests. It is used in split-tunneling connections; the internal DNS server resolves the domain names for traffic through the tunnel, and the ISP-assigned DNS servers resolve DNS requests that travel in the clear to the Internet.

The VPN Concentrator does not support split-DNS for Microsoft VPN Clients; however, it does support split DNS for the Cisco VPN Client operating on Microsoft Windows operating systems.

Enter each domain name to be resolved by the internal server. Use commas but no spaces to separate the names.


78-15731-01


Client FW Parameters TabThis tab lets you configure firewall parameters for VPN Clients.

Note Only VPN Clients running Microsoft Windows can use these firewall features. They are not presently available to hardware clients or other (non-Windows) software clients.

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user’s PC, and thereby the corporate network, from intrusions by way of the Internet or the user’s local LAN.

Remote users connecting to the VPN Concentrator with the VPN Client can choose from two possible firewall options.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN Client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN Client drops the connection to the VPN Concentrator. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN Client monitors the firewall by sending it periodic “are you there?” messages; if no reply comes, the VPN Client knows the firewall is down and terminates its connection to the VPN Concentrator.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN Client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the VPN Concentrator, you create a set of traffic management rules to enforce on the VPN Client, associate those rules with a filter, and designate that filter as the firewall policy. The VPN Concentrator pushes this policy down to the VPN Client. The VPN Client then in turn passes the policy to the local firewall, which enforces it.

A third scenario is to use a separate firewall server—the Zone Labs Integrity Server (IS)—to secure remote PCs on Windows platforms. The IS maintains policies for remote VPN Client PCs and monitors the PCs to ensure policy enforcement. The IS also communicates with the VPN Concentrator to allow and terminate connections, exchange session and user information, and report status information. For more details on how the VPN Concentrator interacts with the VPN Client, personal firewalls, and the Zone Labs Integrity Server, see the VPN Client Administrator Guide. For information on configuring the Zone Labs Integrity Server, refer to Zone Labs’ documentation.


78-15731-01


Figure 13-15 Configuration | User Management | Groups | Add or Modify (Internal) Screen,

Client FW Parameters Tab

Value/Inherit?

On this tabbed section:

• The Inherit? check box refers to base-group parameters: Does this specific group inherit the given setting from the base group? To inherit the setting, check the box (default). To override the base-group setting, clear the check box. If you clear the check box, you must also enter or change the corresponding Value field; do not leave the field blank.




78-15731-01


Firewall Setting

By default, no firewall is required for remote users in this group. If you want users in this group to be firewall-protected, choose either the Firewall Required or Firewall Optional setting.

If you choose Firewall Required, all users in this group must use the designated firewall. The VPN Concentrator drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the VPN Concentrator notifies the VPN Client that its firewall configuration does not match.

If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.

Click the radio button to select a firewall setting:

• No Firewall = No firewall is required for remote users in this group.

• Firewall Required = All remote users in this group must use a specific firewall. Only those users with the designated firewall can connect.

Note If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN Clients. Any other clients in the group (including VPN 3002 Hardware Clients) are unable to connect.

• Firewall Optional = All remote users in this group can connect. Those that have the designated firewall can use it. Those who do not have a firewall receive a warning message.

Firewall

Choose a firewall for the users in this group. Keep in mind when choosing that the firewall you designate correlates with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported. (See Table 13-7 for details.)

Click the drop-down menu button, and select the type of firewall required for users in this group.

• Cisco Integrated Client Firewall = The stateful firewall built into the VPN Client.

• Network ICE BlackICE Defender = The Network ICE BlackICE Agent or Defender personal firewall.

• Zone Labs ZoneAlarm = The Zone Labs ZoneAlarm personal firewall.

• Zone Labs ZoneAlarm Pro = The Zone Labs ZoneAlarm Pro personal firewall.

• Zone Labs ZoneAlarm or ZoneAlarm Pro = Either the Zone Labs ZoneAlarm personal firewall or the Zone Labs ZoneAlarm Pro personal firewall.

• Zone Labs Integrity = The Zone Labs Integrity Client.

• Sygate Personal Firewall = The Sygate Personal Firewall.

• Sygate Personal Firewall Pro = The Sygate Personal Firewall Pro.


78-15731-01


• Sygate Security Agent = The Sygate Security Agent personal firewall.

• Cisco Intrusion Prevention Security Agent = Cisco Systems security agent.

• Custom Firewall = A combination of the firewalls listed above, or other firewalls not listed above. If you choose this option, you must create your own list of firewalls in the Custom Firewall field.

Note You do not need to use the Custom option for Release 4.0. Currently, all supported firewalls are covered by the other Firewall menu options.

Custom Firewall

On the VPN Concentrator, you can configure a custom firewall. Currently there are no supported firewall configurations that you can not choose from the menu on the VPN Concentrator. This feature is mainly for future use. Nevertheless, the following table lists the vendor codes and products that are currently supported.

Enter a single vendor code; enter one or more product codes.

The VPN Concentrator can support any firewall that the VPN Client supports. Refer to the VPN Client Administrator Guide for the latest list of supported clients.

Vendor ID

Enter the vendor code for the firewall(s) that remote users in this group are using. Enter only one vendor.

Product ID

Enter the product code or codes for the firewall(s) that remote users in this group are using. To indicate any supported product, enter 255. Separate multiple codes with commas. Indicate code ranges with hyphens, for example: 4-20.

Description

Enter a description (optional) for the custom firewall.

Table 13-6 Custom Vendor and Product codes

Vendor Vendor Code Products Product Code

Cisco Systems 1 Cisco Integrated Client (CIC) 1

5 Cisco Intrusion Prevention Security Agent

1

Zone Labs 2 Zone Alarm 1

Zone AlarmPro 2

Zone Labs Integrity 3

NetworkICE 3 BlackIce Defender/Agent 1

Sygate 4 Personal Firewall 1

Personal Firewall Pro 2

Security Agent 3


78-15731-01


Firewall PolicyDepending on which firewall you configured, certain Firewall Policy options are available. (See Table 13-7.)

Choose the source for the VPN Client firewall policy.

• Policy defined by remote firewall (AYT) = Remote users in this group have firewalls located on their PCs. The local firewall enforces the firewall policy on the VPN Client. The VPN Concentrator allows VPN Clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. Once the connection is established, the VPN Client polls the firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the VPN Client ends the session.

• Policy Pushed (CPP) = The VPN Concentrator enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this VPN Concentrator, including the default filters. Keep in mind that the VPN Concentrator pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the VPN Concentrator. For example, “in” and “out” refer to traffic coming into the VPN Client or going outbound from the VPN Client.

If the VPN Client also has a local firewall, the policy pushed from the VPN Concentrator works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.

• Policy from Server = Users in this group use a Zone Labs Integrity Server to configure and manage firewall security on their remote PCs. If you choose this option, you must also configure the server address on the Configuration | System | Servers | Firewall Server screen.

Table 13-7 Firewall Policy Options Available for Each Firewall

FirewallPolicy Defined by Remote Firewall (AYT)

Policy Pushed (CPP) Policy from Server

Cisco Integrated Client Firewall No Yes No

Network ICE BlackICE Defender Yes No No

Zone Labs ZoneAlarm Yes Yes No

Zone Labs ZoneAlarm Pro Yes Yes No

Zone Labs ZoneAlarm or Zone Labs ZoneAlarm Pro Yes Yes No




Zone Labs Integrity No No Yes




Cisco Intrusion Prevention Security Agent Yes No No

Custom Firewall N/A (This field is for future use.)


78-15731-01


HW Client Parameters TabThis tab lets you configure interactive hardware client authentication and individual user authentication for the group. You can enable either feature, both features together, or neither. By default, interactive hardware client authentication and individual user authentication are disabled.

Figure 13-16 Configuration | User Management | Groups | Add or Modify, HW Client Parameters Tab

Require Interactive Hardware Client Authentication

Check the Require Interactive Hardware Client Authentication check box to enable interactive authentication for the VPN 3002s in the group. For more information, see the section, “About Interactive Hardware Client Authentication,” below.

Require Individual User Authentication

Check the Require Individual User Authentication check box to enable individual user authentication for the VPN 3002s in the group. To display a banner to VPN 3002s in a group, individual user authentication must be enabled.

For more information, see the section, “About Individual User Authentication,” below.


78-15731-01


User Idle Timeout

Enter the idle timeout period in minutes. If there is no communication activity on a user connection in this period, the system terminates the connection. The minimum is 1 minute, the default is 30 minutes, and the maximum is 10080 minutes. To disable timeout and allow an unlimited idle period, enter 0.


We recommend that you set a short idle-timeout value for WebVPN users. When a browser is set to disable cookies, or prompts for cookies but denies them, users do not connect, but they still appear in the Administration | Administer Sessions | RAS database. If Simultaneous Logins (Configuration | User Management | Base Group/Groups) is set to one, the user cannot log in again because the maximum number of connections already exists. If you set a low idle timeout for WebVPN users, these cookies are deleted quickly, letting a user reconnect.

Cisco IP Phone Bypass

Check the Cisco IP Phone Bypass check box to allow IP phones to bypass the interactive individual user authentication processes. Interactive hardware client authentication remains in effect if you have enabled it.

Note You must configure the VPN 3002 to use network extension mode for IP phone connections.

LEAP Bypass

Check the LEAP Bypass box to let LEAP packets from Cisco wireless devices bypass the individual user authentication processes (if enabled).

LEAP (Lightweight Extensible Authentication Protocol) Bypass lets LEAP packets from devices behind a VPN 3002 travel across a VPN tunnel prior to individual user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication (if enabled). For more information about LEAP Bypass, see the section, “About LEAP Bypass,” below.

Note This feature does not work as intended if you enable interactive hardware client authentication.

Allow Network Extension Mode

This feature lets you restrict the use of network extension mode on the VPN 3002. Check the box to allow hardware clients in the group to use network extension mode.

Network extension mode is required for the VPN 3002 to support IP phone connections. This is because the Call Manager can communicate only with actual IP addresses.

Note If you disallow network extension mode, the default setting, the VPN 3002 can connect to this VPN Concentrator in PAT mode only. If you disallow network extension mode here, be careful that all VPN 3002s in the group are configured for PAT mode. If a VPN 3002 is configured to use network extension


78-15731-01


mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the VPN 3002 puts an unnecessary processing load on the VPN Concentrator to which it connects; if large numbers of VPN 3002s are misconfigured in this way, the VPN Concentrator has a reduced ability to provide service.

About Interactive Hardware Client Authentication

Interactive hardware client authentication provides the central site with additional security by requiring the VPN 3002 to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the VPN Concentrator to which it connects. The VPN Concentrator facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established.

You configure interactive hardware client authentication in Hardware Client tab of the Configuration | User Management | Groups screen on the VPN Concentrator at the central site, which then pushes the policy to the VPN 3002.

You specify the type of authentication server in the IPSec tab of the Configuration | User Management | Groups screen on the VPN Concentrator. The VPN 3002 authenticates on the first server of that type that you configure in the Configuration | System | Servers | Authentication screen or Configuration | User Management | Groups | Authentication Servers screen. If the VPN 3002 cannot reach that server, it authenticates on the next server of that type in the list of authentication servers.

Enabling and Later Disabling Interactive Hardware Client Authentication

When you enable interactive hardware client authentication for a group, the VPN Concentrator pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.

If, on the VPN Concentrator, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the VPN Concentrator has disabled interactive hardware client authentication.

If you subsequently configure a username and password (in the VPN 3002 Configuration | System | Tunneling Protocols | IPSec screen), the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the VPN Concentrator using the saved username and password.


78-15731-01


About Individual User Authentication

Individual user authentication protects the central site from access by unauthorized persons on the private network of the VPN 3002.

When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the VPN Concentrator, even though the tunnel already exists.

To display a banner to VPN 3002s in a group, individual user authentication must be enabled.

Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser.

• If you have a default home page on the remote network behind the VPN Concentrator, or direct the browser to a website on the remote network behind the VPN Concentrator, the VPN 3002 directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.

• If you try to access resources on the network behind the VPN Concentrator that are not web-based, for example, e-mail, the connection fails until you authenticate with a browser.

• To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the browser Location or Address field. The browser then displays the login screen for the VPN 3002. To authenticate, click the Connect/Login Status button.

• One user can log in for a maximum of four sessions simultaneously.

Individual users authenticate according to the order of authentication servers that you configure for a group. To configure authentication servers for individual user authentication, see the sections, Configuration | User Management | Base Group/Groups | Authentication Servers | Add/Modify.

Backup Servers with Interactive Hardware Client and Individual User Authentication

Be sure to configure any backup servers for the VPN 3002 with the same values as the primary VPN Concentrator for interactive hardware client authentication and individual user authentication. For information about configuring backup servers, see the section, “Client Configuration Parameters Tab,” earlier in this chapter.

Accounting with Interactive Hardware Client and Individual User Authentication

If a VPN 3002 authenticates to a VPN Concentrator, and you have enabled accounting, the VPN Concentrator notifies the RADIUS accounting server when the VPN 3002 logs on and off. It also keeps track of individual users. See the section, “Configuration | System | Servers | Authorization| Add or Modify,” of this guide.

About LEAP BypassIEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.


78-15731-01


Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.

Note Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.

LEAP Bypass for the VPN 3002

LEAP users behind a VPN 3002 have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.

LEAP Bypass works as intended under the following conditions:

• The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the VPN 3002 before LEAP devices can connect using that tunnel.

• Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).

• Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands.

• The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).

• The VPN 3002 can operate in either client mode or network extension mode.

• LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.

Note There may be security risks in allowing any unauthenticated traffic to traverse the tunnel.


78-15731-01


Summary of VPN 3002 Authentication FeaturesTable 13-5 summarizes how authentication of the VPN 3002 works by default, and how it works with interactive hardware client authentication and individual user authentication enabled. Be aware that you can use both interactive hardware client authentication or individual user authentication simultaneously, or either one and not the other.

Table 13-8 Authenticating the VPN 3002 Hardware Client and Users

Authentication with Saved Username and Password

Interactive Hardware Client Authentication Individual User Authentication LEAP Bypass



Authenticates a user or device on the private LAN behind the VPN 3002.

Authenticates a wireless user or device on the private LAN behind the VPN 3002.

On the VPN 3002, you configure the username and password in either of these screens:

• Configuration | Quick | IPSec

• Configuration | System | Tunneling Protocols | IPSec



You configure the Aironet Client Utility to use a saved username and password, or to prompt for a username and password each time a client connects. For more information, refer to the Cisco Aironet Wireless LAN Adapters Installation and Configuration Guide.

The VPN 3002 saves the username and password.



Requires no user interaction subsequent to initial configuration.

You are prompted to enter a username and password each time the VPN 3002 initiates the tunnel.

You open a web browser and enter a username and password when prompted, even though the tunnel already exists.

You cannot use the command-line interface.

If you use a saved username and password, LEAP requires no user interaction subsequent to initial configuration. Otherwise the Aironet Client Utility prompts you to enter a username and password.

The default option. You enable on the VPN Concentrator. The VPN Concentrator pushes the policy to the VPN 3002.



The VPN 3002 authenticates on the first server of the type that you configure. If the VPN 3002 cannot reach that server, it authenticates on the next server of that type in the list of authentication servers.

Individual users authenticate according to the order of authentication servers configured, regardless of type.

Individual users authenticate to RADIUS servers according to the order of servers configured.

Individual users can authenticate according to the values of an embedded group rather than the tunnel group. See the section, Configuration | System | Generl | Global Authentication Parameters of this guide.


78-15731-01


PPTP/L2TP Parameters TabThis section of the screen lets you configure PPTP and L2TP parameters that apply to this internally configured group. During tunnel establishment, the client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access. If you checked PPTP, L2TP, or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure these parameters.

Figure 13-17 Configuration | User Management | Groups | Add or Modify (Internal) Screen,

PPTP/L2TP Tab



78-15731-01





Use Client Address

Check the Use Client Address check box to accept and use an IP address that this group’s client supplies. A client must have an IP address to function as a tunnel endpoint; but for maximum security, we recommend that you control IP address assignment and not allow client-specified IP addresses.



Check the PPTP Authentication Protocols check boxes for the authentication protocols that this group’s PPTP clients can use. To establish and use a VPN tunnel, users should be authenticated in accordance with some protocol.


These choices specify the allowable authentication protocols in order, from least secure to most secure.

You can allow a group to use fewer protocols than the base group, but not more. You cannot allow a grayed-out protocol.

• PAP = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We strongly recommend that you not allow this protocol.

• CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP, but does not encrypt data.

• MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption). If you check Required under PPTP Encryption, you must allow one or both MSCHAP protocols and no other.

• MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send


78-15731-01


and receive paths. The VPN Concentrator internal user authentication server supports this protocol, but external authentication servers do not. If you check Required under PPTP Encryption, you must allow one or both MSCHAP protocols and no other.

• EAP Proxy = Extensible Authentication Protocol, defined in RFC 2284. EAP lets the VPN Concentrator proxy the entire PPTP/L2TP authentication process to an external RADIUS authentication server. It provides additional authentication options for the Microsoft VPN Client, including EAP/MD5, Smartcards and certificates (EAP/TLS), and RSA SecurID (EAP/SDI). It requires that you configure an EAP enabled RADIUS server. You cannot enable EAP Proxy if you are using PPP encryption. It is configurable at the base group or group levels.


78-15731-01


PPTP Encryption

Check the PPTP Encryption check boxes for the data encryption options that apply to the PPTP clients of this group.

• Required = During connection setup, the PPTP clients of this group must agree to use Microsoft encryption (MPPE) to encrypt data or they will not be connected. If you check this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under PPTP Authentication Protocols, and you must also check 40-bit and/or 128-bit here.

• Require Stateless = During connection setup, the PPTP clients of this group must agree to use stateless encryption to encrypt data or they will not be connected. With stateless encryption, the encryption keys are changed on every packet; otherwise, the keys are changed after some number of packets or whenever a packet is lost. Stateless encryption is more secure, but it requires more processing. However, it might perform better in a lossy environment (where packets are lost), such as the Internet.

• 40-bit = The PPTP clients of this group are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm. If you check Required, you must check this option and/or the 128-bit option.

• 128-bit = The PPTP clients of this group are allowed to use the RSA RC4 encryption algorithm with a 128-bit key. Microsoft encryption (MPPE) uses this algorithm. If you check Required, you must check this option and/or the 40-bit option.

Note The U.S. government restricts the distribution of 128-bit encryption software.

PPTP Compression

If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Check the PPTP Compression check box to enable data compression for PPTP. PPTP data compression uses the Microsoft Point to Point Compression (MPPC) protocol.


Note PPTP data compression is only supported for clients that use stateless encryption.


78-15731-01



Check the L2TP Authentication Protocols check boxes for the authentication protocols that this group’s L2TP clients can use. To establish and use a VPN tunnel, users should be authenticated in accordance with a protocol.



You can allow a group to use fewer protocols than the base group, but not more. You cannot allow a grayed-out protocol.


• CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP, but does not encrypt data.

• MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption). If you check Required under L2TP Encryption, you must allow one or both MSCHAP protocols and no other.

• MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths. The VPN Concentrator internal user authentication server supports this protocol, but external authentication servers do not. If you check Required under L2TP Encryption, you must allow one or both MSCHAP protocols and no other.



78-15731-01


L2TP Encryption

Check the L2TP Encryption check boxes for the data encryption options that apply to this group’s L2TP clients.

• Required = During connection setup, this group’s L2TP clients must agree to use Microsoft encryption (MPPE) to encrypt data or they will not be connected. If you check this option, you must also allow only MSCHAPv1 and/or MSCHAPv2 under L2TP Authentication Protocols, and you must also check 40-bit and/or 128-bit here.

• Require Stateless = During connection setup, this group’s L2TP clients must agree to use stateless encryption to encrypt data or they will not be connected. With stateless encryption, the encryption keys are changed on every packet; otherwise, the keys are changed after some number of packets or whenever a packet is lost. Stateless encryption is more secure, but it requires more processing. However, it might perform better in a lossy environment (where packets are lost), such as the Internet.

• 40-bit = This group’s L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 40-bit key. This is significantly less secure than the 128-bit option. Microsoft encryption (MPPE) uses this algorithm. If you check Required, you must check this option and/or the 128-bit option.

• 128-bit = This group’s L2TP clients are allowed to use the RSA RC4 encryption algorithm with a 128-bit key. Microsoft encryption (MPPE) uses this algorithm. If you check Required, you must check this option and/or the 40-bit option.

L2TP Compression

If all members of this group are remote dial-in users connecting with modems, enabling data compression might speed up their data transmission rates. Data compression shrinks data by replacing repeating information with symbols that use less space. Check the L2TP Compression check box to enable data compression for L2TP. L2TP data compression uses the Microsoft Point to Point Compression (MPPC) protocol.


Note L2TP data compression is only supported for clients that use stateless encryption.


78-15731-01



Reminder:



WebVPN Parameters TabThis screen lets you configure access to network resources for WebVPN users in this group. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.

Note To enable WebVPN, you must also check the WebVPN checkbox in the Tunneling Protocols field of the General Tab in the Configuration | User Management | Groups | Add/Modify page.

Note End users need Sun Microsystems Java™ Runtime Environment (version 1.4 or later) installed for file access functionality to work properly.


78-15731-01


Figure 13-18 Configuration | User Management | Groups | Add or Modify (Internal) Screen, WebVPN Tab


78-15731-01


WebVPN ParametersThese parameters let WebVPN users access network resources.

Enable URL Entry

Check this box to place the URL entry box on the home page. If enabled, users can enter web addresses in the URL entry box, and use WebVPN to access those websites.

Be advised that using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user’s PC or workstation and the VPN Concentrator on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate VPN Concentrator to the destination web server is not secured.


The current implementation of WebVPN on the VPN Concentrator does not permit communication with sites that present expired certificates. Neither does the VPN Concentrator perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

You may want to limit Internet access for WebVPN users. One way to do this is to uncheck the Enable URL Entry field. One way to do this is to uncheck the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.

Enable File Access

Check to enable Windows file access (SMB/CIFS files only) through HTTPS. When this box is checked, enabled, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Configuration | Tunneling and Security | WebVPN | WebVPN Servers and URLs | Add/Modify pages. To let users access servers directly or to browse servers on the network, see the Enable File Server Entry and Enable File Server Browsing parameters.

Users can download, edit, delete, amd rename files. They can also add files and folders.

Remember that shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing files, according to network requirements.

File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the VPN Concentrator, or reachable from that network. The WINS server or master browser provides the VPN Concentrator with a list of the resources on the network. You cannot use a DNS server instead. Configure WINS servers in the Configuration | System | Servers | NBNS screen.

Note File access is not supported in a Native Active Directory environment when used with Dynamic DNS. It is supported if used with a WINS server.


78-15731-01


Enable File Server Entry

Check to place the file server entry box on the home page. File Access (above) must be enabled.

With this box checked, users can enter pathnames to Windows files directly. They can download, edit, delete, and rename files. They can also add files and folders.

Again, shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing files, according to network requirements.

Enable File Server Browsing

Check to let users browse the Windows network for domains/workgroups, servers and shares. File Access (above) must be enabled.

With this box checked, users can select domains/workgroups, and browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.

Enable Port Forwarding

Check to enable port forwarding.

With this box checked remote users can access client/server applications by mapping local TCP ports on the system to remote ports on appropriate servers at the central site. You configure specific TCP ports for application access for a group in the Configuration | User Management | Groups | WebVPN Port Forwarding | Add/Modify screens.

End users get information about the applications you configure in a java applet. Users launch this java applet by clicking the Application Access section of their WebVPN home page.

Note When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA does not have the ability to access the web browser’s keystore; therefore JAVA can not use the certificates that the browser used for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.

Apply ACL

Check to apply the WebVPN Access Control List defined for the users of this group.

Port Forwarding Name

This is a name for you to identify port forwarding to end users. The name you configure displays in the end user interface as a hotlink. When users click this link, Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users.

Content Filter ParametersThese parameters let you block or remove the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs.


78-15731-01


Filter Java/Active X

Check to remove <applet>, <embed> and <object> tags from HTML.

Filter Scripts

Check to remove <script> tags from HTML.

Filter Images

Check to remove <img> tags from HTML. Removing images speeds the delivery of web pages dramatically.

Filter Cookies from Images

Check to remove cookies that are delivered with images. This may preserve user privacy, because advertisers use cookies to track visitors.

WebVPN ACLsYou can configure WebVPN ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

• If you do not define any filters, all connections are permitted.

• If you configure a permit filter, the default action is to deny connections other than what the filter defines.


ACL Syntax

An ACL can have up to 255 characters.

The broad syntax for ACLs is <action> <protocol> <keyword> <source> <destination>

The specific syntax for protocol filters and for URL filters follows. Descriptions of each field are after the examples.

Note ACLs with syntax errors result in no filtering because the Manager cannot recognize them as ACLs.

Protocol ACL Syntax

The syntax for WebVPN protocol filters is:

<permit/deny> <protocol> <Source> <Destination>

Example: permit ip any 10.86.9.0 0.0.0.255

Example: deny ip any host 10.86.9.22


78-15731-01


URL ACL Syntax

The syntax for WebVPN URL filters is: <permit/deny> url <URL definition>

Example: deny url http://www.anyurl.com

Field Description


Protocol WebVPN protocols include ip, smtp, pop3, and imap4, http, https, and cifs.

Required Keywords For Protocol ACLs: host - only when using IP address alone (without wildcard mask) for a destination ID

For URL ACLs: url

Source Network or host from which the packet is sent, specified as an IP address and wildcard mask, or the hostname, or any. The most common source is any, which means, literally, that the source can be any host.

Destination Network or host to which the packet is sent, specified as one of the following:

• hostname

• IP address and wildcard mask, for example, 10.86.9.0 0.0.0.255

• host and IP address, for example, host 10.86.9.22

URL Definition The complete address of the http or https web server or the cifs, imap4s, pop3s or smtps server.


78-15731-01



Reminder:




78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Modify (External)

Configuration | User Management | Groups | Modify (External)This screen lets you change identity parameters for an external group that you have previously configured. The screen title identifies the group you are modifying.

Figure 13-19 Configuration | User Management | Groups | Modify (External) Screen

Group Name

Enter a unique name for this specific group. You can edit this field as desired. The maximum name length is 64 characters. Entries are case-sensitive. Changing a group name automatically updates the group name for all users in the group.

See the note about configuring the RADIUS Class attribute under “Configuration | User Management | Groups”.

Password

Enter a unique password for this group. The minimum password length is 4 characters. The maximum length is 32 characters. Entries are case-sensitive. The field displays only asterisks.

Verify

Re-enter the group password to verify it. The field displays only asterisks.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Modify (External)

Type

Click the Type drop-down menu button and select the authentication server type for the group:

• Internal = To change this group to use the internal VPN Concentrator authentication server, select this type. If you change this group from External to Internal, the Manager displays the Configuration | User Management | Groups | Modify (Internal) screen when you click Apply, so you can configure all the parameters.

• External = To use only an external authentication server, such as RADIUS, keep this selection. The external server supplies the group parameters if it can; otherwise the base-group parameters apply.

Apply / CancelWhen you finish changing these parameters, click Apply to include your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen and refreshes the Current Groups list. However, if you change group type to Internal, the Manager displays the Configuration | User Management | Groups | Modify (Internal) screen so you can configure all the parameters.

Reminder:


To discard your changes, click Cancel. The Manager returns to the Configuration | User Management | Groups screen, and the Current Groups list is unchanged.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Authentication Servers

Configuration | User Management | Groups | Authentication Servers

This screen lets you add, modify, delete, or change the priority order of authentication servers for a group. You can add external RADIUS, NT Domain and SDI servers for authenticating users. To add an internal server, go to the Configuration | System | Servers | Authentication screen. For further information about internal servers, see “Configuration | System | Servers | Authentication”.

If individual user authentication is enabled, the authentication servers you configure for the group here are used in the order of priority you set here. If you do not configure an external authentication server here, individual user authentication uses the internal authentication server on the VPN Concentrator.

Before you configure an external server, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers.

You can configure and prioritize up to 10 authentication servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative. If no authentication servers area configured for the group, the global authentication server list applies.

The global authentication server list only applies if no authentication servers are configured for this group. If a group is configured (in the Configuration | User Management | Groups | Add or Modify screen, IPSec tab, Authentication field) to use a type of authentication server not available on this list, the VPN Concentrator does not redirect the authentication request to a server in the global list. The authentication fails. If you want users in this group to use the global authentication server, do not define any servers, of any type, here.

For example, if you configure a group to authenticate using RADIUS, and if only an NT Domain server appears on this list, user authentication fails. If you want these users to use the global RADIUS server, do not configure any server here.


78-15731-01


Figure 13-20 Configuration | User Management | Groups | Authentication Servers Screen


78-15731-01


ServersThe servers list shows the configured authentication servers, in priority order. Each entry shows the server identifier and type, by IP address or by host name, for example: 192.168.12.34 (RADIUS). If no servers have been configured the list shows --Empty--. The first server of each type is the primary, the rest are backup.

ActionsTo configure and add a new authentication server, click Add. The Manager opens the Configuration | User Management | Groups | Authentication Servers | Add screen.

To modify parameters for an authentication server that has been configured, select the server from the list and click Modify. The Manager opens the Configuration | User Management | Groups | Authentication Servers | Modify screen.

To remove a server that has been configured, select the server from the list and click Delete.


The Manager refreshes the screen and shows the remaining servers in the list. When you delete a server, any clients with no other authentication server configured use the server configured for the base group.

To change the priority order for an authentication server click Move Up or Move Down to move it up or down on the list of servers configured for this group.

To test a configured external user authentication server, select the server from the list and click Test. The Manager opens the Configuration | System | Servers | Authentication | Test screen. There is no need to test the internal server, and trying to do so returns an error message.

When you are finished configuring authentication servers, click Done. This action includes your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen.

Reminder:



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Authentication Servers | Add or Modify

Configuration | User Management | Groups | Authentication Servers | Add or Modify


• Add: Configure and add a new user authentication server.

• Modify: Modify parameters for a configured user authentication server.

Click the drop-down menu button and select the Server Type. The screen and its available fields change depending on the Server Type. Choices are:

• RADIUS = An external RADIUS server (default).

• NT Domain = An external Windows NT Domain server.

• SDI = An external RSA Security Inc. SecurID server.

• Kerberos/Active Directory = An external Windows/Active Directory server or a UNIX/Linux Kerberos server.

Find your selected Server Type.

Server Type = RADIUSConfigure these parameters for a RADIUS authentication server.

Figure 13-21 Configuration | User Management | Groups | Authentication Servers |

Add or Modify RADIUS Screen


Enter the IP address or host name of the RADIUS authentication server, for example: 192.168.12.34. The maximum length is 32 characters. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address. For maximum security, use an IP address.)


78-15731-01


Server Port



Timeout

Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default is 4 seconds. The maximum is 30 seconds.

Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authentication server in the list. The minimum number of retries is 0. The default is 2. The maximum is 10.

Server Secret

Enter the RADIUS server secret (also called the shared secret), for example: C8z077f. The maximum length is 64 characters. The field shows only asterisks.

Verify



To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the Configuration | User Management | Groups | Authentication Servers screen. Any new server appears at the bottom of the Authentication Servers list.

Reminder:




78-15731-01


Server Type = NT DomainConfigure these parameters for a Windows NT Domain authentication server.

Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.


Add or Modify NT Domain Screen

Authentication Server Address

Enter the IP address of the NT Domain authentication server, for example: 192.168.12.34. Use dotted decimal notation.

Server Port


Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next NT Domain authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.


78-15731-01


Domain Controller Name

Enter the NT Primary Domain Controller host name for this server, for example: PDC01. The maximum host name length is 16 characters. You must enter this name, and it must be the correct host name for the server for which you entered the IP Address in Authentication Server Address; if it is incorrect, authentication fails.



Reminder:



Server Type = SDIConfigure these parameters for an RSA Security Inc. SecurID authentication server.

VPN Concentrator software version 3.6 supports both version 5.0 and versions prior to SDI 5.0.

SDI Version pre-5.0

SDI versions prior to 5.0 use the concept of an SDI master and an SDI slave server which share a single node secret file (SECURID). On the VPN Concentrator you can configure one pre-5.0 SDI master server and one SDI slave server globally, and one SDI master and one SDI slave server per each group.

SDI Version 5.0

SDI version 5.0 uses the concepts of an SDI primary and SDI replica servers. A primary and its replicas share a single node secret file. On the VPN Concentrator you can configure one SDI 5.0 server globally, and one per each group.

A version 5.0 SDI server that you configure on the VPN Concentrator can be either the primary or any one of the replicas. See the section below, “SDI Primary and Replica Servers” for information about how the SDI agent selects servers to authenticate users.

You can have one SDI primary server, and up to 10 replicas; use the SDI documentation for configuration instructions. The primary and all the replicas can authenticate users. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended. SDI servers that you configure here apply to this group.


78-15731-01



SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two VPN Concentrators using the same authentication servers simultaneously. After a successful username lock, the VPN Concentrator sends the passcode.

SDI Primary and Replica Servers

The VPN Concentrator obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The VPN Concentrator then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected.


SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user passcode. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two VPN Concentrators using the same authentication servers simultaneously.


Add or Modify SDI Screen


Enter the IP address or host name of the SDI authentication server, for example: 192.168.12.34. The maximum number of characters is 32. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

SDI Server Version

Use the drop-down menu to select the SDI server version you are using, pre-5.0 or 5.0.


78-15731-01


Server Port


Timeout

Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default is 4 seconds. The maximum is 30 seconds.

Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next SDI authentication server in the list. The minimum number of retries is 0. The default is 2. The maximum is 10.



Reminder:



Server Type = Kerberos/Active DirectoryConfigure these parameters for a Kerberos/Active Directory server.

The VPN Concentrator supports RC4-HMAC and DES-MD5 encryption types.

Note The VPN Concentrator does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the VPN Concentrator.

If you are configuring authentication to a Linux machine acting as a Kerberos server, check the available keys for the users you want to authenticate. The following key must be available: DES cbc mode with RSA-MD5, Version 5.


78-15731-01


For example, if you are configuring authentication to a Red Hat Linux 7.3 server running Kerberos, check the available keys by completing the following steps:

Step 1 Enter the following command, where username is the name of the user you want to authenticate:

kadmin.local -q “getprinc username”

Step 2 If “DES cbc mode with RSA-MD5, Version 5” is not available for that user, edit the file kdc.conf. Add or move “des-cbc-md5” selections to the beginning of the “supported_enctypes =” line:

[realms]MYCOMPANY.COM = {master_key_type = des-cbc-crcsupported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm

Step 3 Save the file.

Step 4 Restart the krb5kdc, kadmin, and krb524 services.

Step 5 Change the password for the user to create the “DES cbc mode with RSA-MD5” key:

kadmin.local -q “cpw -pw newpassword username”

Now you should be able to authenticate that user to your Linux/Unix Kerberos 5 server.


Add or Modify Kerberos/Active Directory Screen


Enter the host name or IP address of the Kerberos/Active Directory authentication server, for example: 192.168.12.34. Use dotted decimal notation for IP addresses.

Server Port



78-15731-01


Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next Kerberos/Active Directory authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Realm

Enter the realm name for this server, for example: USDOMAIN.ACME.COM. The maximum length is 64 characters.

The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows.NET. If the letters are not uppercase, authentication fails.

You must enter this name, and it must be the correct realm name for the server for which you entered the IP address in Authentication Server. If it is incorrect, authentication fails.



Reminder:




78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Authentication Servers | Test

Configuration | User Management | Groups | Authentication Servers | Test

This screen let you test a configured external user authentication server to determine that:

• The VPN Concentrator is communicating properly with the authentication server.

• The server correctly authenticates a valid user.

• The server correctly rejects an invalid user.

Figure 13-25 Configuration | User Management | Groups | Authentication Servers | Test Screen

UsernameTo test connectivity and valid authentication, enter the username for a valid user who has been configured on the authentication server. The maximum username length is 64 characters. Entries are case-sensitive.

To test connectivity and authentication rejection, enter a username that is invalid on the authentication server.

PasswordEnter the password for the username. The maximum password length is 32 characters. Entries are case-sensitive. The field displays only asterisks.

OK / CancelTo send the username and password to the selected authentication server, click OK. The authentication and response process takes a few seconds. The Manager displays a Success or Error screen.

To cancel the test and discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | Authentication Servers screen.


78-15731-01


Authentication Server Test: SuccessIf the VPN Concentrator communicates correctly with the authentication server, and the server correctly authenticates a valid user, the Manager displays a Success screen.

Figure 13-26 Authentication Server Test: Success Screen

Continue

To return to the Configuration | User Management | Groups | Authentication Servers | Test screen, click Continue. You can then test authentication for another username.

To return to the Configuration | User Management | Groups | Authentication Servers screen, or any other screen, click the desired title in the left frame (the Manager table of contents).

Authentication Server Test: Authentication Rejected ErrorIf the VPN Concentrator communicates correctly with the authentication server, and the server correctly rejects an invalid user, the Manager displays an Authentication Rejected Error screen.

Figure 13-27 Authentication Server Test: Authentication Rejected Error Screen

To return to the Configuration | User Management | Groups | Authentication Servers | Test screen, click Retry the operation.



78-15731-01


Authentication Server Test: Authentication ErrorIf the VPN Concentrator cannot communicate with the authentication server, the Manager displays an Authentication Error screen. Error messages include:




Figure 13-28 Authentication Server Test: Authentication Error Screen

To return to the Configuration | User Management | Groups | Authentication Servers | Test screen, click Retry the operation.



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Authorization Servers

Configuration | User Management | Groups | Authorization Servers

This screen lets you add, modify, delete, or change the priority order of authorization servers for a group. You can add external RADIUS or LDAP servers for authorizing users.

Before you configure an external server, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers. For more information on setting up an external server for VPN Concentrator user authorization, see “Configuring an External Server for VPN Concentrator User Authorization.”

You can configure and prioritize up to 10 authorization servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative. If no authorization servers are configured for the group, the global authentication server list applies.

The global authentication server list only applies if no authorization servers are configured for this group. If a group is configured (in the Configuration | User Management | Groups | Add or Modify screen, IPSec tab, Authorization Type field) to use a type of authorization server not available on this list, the VPN Concentrator does not redirect the authorization request to a server in the global list. The authorization fails If you want users in this group to use the global authorization server, do not define any servers, of any type, here.

For example, if you configure a group to authorize using RADIUS, and if only an LDAP server appears on this list, user authorization fails. If you want these users to use the global RADIUS server, do not configure any server here.

Figure 13-29 Configuration | User Management | Groups | Authorization Servers Screen


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Authorization Servers

Authorization ServersThe Authorization Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup.

Add / Modify / Delete / Move Up / Move Down / Test / DoneTo configure a new user-authorization server, click Add. The Manager opens the Configuration | User Management | Groups | Authorization Servers | Add screen.

To modify a configured user authorization server, select the server from the list and click Modify. The Manager opens the Configuration | User Management | Groups | Authorization Servers | Modify screen.

To remove a configured user authorization server, select the server from the list and click Delete.


The Manager refreshes the screen and shows the remaining entries in the Authorization Servers list.

To change the priority order for configured servers, select the entry from the list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Authentication Servers list.

To test a configured user authorization server, select the server from the list and click Test. The Manager opens the Configuration | User Management | Groups | Authorization Servers | Test screen.

To dismiss this screen and return to the Configuration | User Management | Groups screen, click Done.

Reminder:



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Authorization Servers: | Add or Modify

Configuration | User Management | Groups | Authorization Servers: | Add or Modify


• Add: Configure and add a new user authorization server.

• Modify: Modify parameters for a configured user authorization server.

For more information on configuring and using authorization servers, see the “Configuration | System | Servers | Authorization” section on page 5-20.

Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. The choices are:

• RADIUS = Use an external RADIUS (Remote Authentication Dial-In User Service) server for user authorization.

• LDAP = Use an external LDAP (Lightweight Directory Access Protocol) server for user authorization.

Find your selected server type:

Server Type = RADIUSConfigure these parameters for a RADIUS (Remote Authentication Dial-In User Service) authorization server.

Figure 13-30 Configuration | User Management | Groups | Authorization Servers | Add or Modify

RADIUS Screen


Enter the IP address or host name of the RADIUS authorization server, for example: 192.168.12.34. The maximum number of characters is 32.


78-15731-01


Server Port



Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authorization server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.

Server Secret

Enter the server secret (also called the shared secret) for the RADIUS server, for example: C8z077f. The VPN Concentrator uses the server secret to authenticate to the RADIUS server.

The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server.

The maximum field length is 64 characters. The field shows only asterisks.

Verify


Common User Password

The RADIUS authorization server requires a password and username for each connecting user. The VPN Concentrator provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this VPN Concentrator. Be sure to provide this information to your RADIUS server administrator.

Enter a common password for all users who are accessing this RADIUS authorization server through this VPN Concentrator.

If you leave this field blank, each user’s password is his or her own username. For example, a user with the username “jsmith” would enter “jsmith”. If you are using usernames for the Common User passwords, as a security precaution do not use this RADIUS server for authentication anywhere else on your network.


78-15731-01


Note This field is essentially a space-filler. The RADIUS server expects and requires it, but does not use it. Users do not need to know it.

Verify

Re-enter the Common User Password to verify it. The field shows only asterisks.



Reminder:



Server Type = LDAPConfigure these parameters for an LDAP authorization server.


78-15731-01


Figure 13-31 Configuration | User Management | Groups | Authorization Servers | Add or Modify LDAP

Screen


Enter the IP address or hostname of the LDAP authorization server. Enter the IP address in dotted decimal notation, for example: 192.168.12.34.

Server Port


Timeout


Retries

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next LDAP authorization server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.


78-15731-01


Login DN

Some LDAP servers (including the Microsoft Active Directory server) require the VPN Concentrator to establish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The VPN Concentrator identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the VPN Concentrator’s authentication characteristics; these characteristics should correspond to those of a user with administration privileges.

Enter the name of the directory object for VPN Concentrator authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com. For anonymous access, leave this field blank.

Password

Enter the password for the Login DN.

Verify

Re-enter the Login DN password to verify it. The field shows only asterisks.

Base DN

Enter the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request. For example, OU=people, dc=cisco, dc=com.

Search Scope

Choose the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.

• One Level: Search only one level beneath the Base DN. This option is quicker.

• Subtree: Search all levels beneath the Base DN; in other words, search the entire subtree hierarchy. This option takes more time.

Naming Attributes

Enter the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).




78-15731-01


Reminder:




78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Authorization Servers | Test

Configuration | User Management | Groups | Authorization Servers | Test

This screen lets you test a configured user authorization server to determine that:

• The VPN Concentrator is communicating properly with the authorization server.

• The server correctly authorizes a valid user.

• The server correctly rejects an authorization request for an invalid user.

Figure 13-32 Configuration | User Management | Groups | Authorization Servers | Test Screen

UsernameTo test connectivity and valid authorization, enter the username for a valid user who has been configured on the authorization server. The maximum username length is 32 characters. Entries are case-sensitive.

To test connectivity and authorization rejection, enter a username that is invalid on the authorization server.

PasswordEnter the password for the username. Maximum 32 characters, case-sensitive. The field displays only asterisks.

OK / CancelTo send the username and password to the chosen authorization server, click OK. The authorization and response process takes a few seconds. The Manager displays a Success or Error screen.

To cancel the test and discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | Authorization Servers screen.


78-15731-01


Authentication Server Test: SuccessIf the VPN Concentrator communicates correctly with the authorization server, and the server correctly authorizes a valid user, the Manager displays a Success screen.

Figure 13-33 Authorization Server Test: Success Screen

Continue

To return to the Configuration | User Management | Groups | Authorization Servers | Test screen, click Continue. You can then test authorization for another username.

To return to the Configuration | User Management | Groups | Authorization Servers screen, or any other screen, click the desired title in the left frame (Manager table of contents).

Authorization Server Test: Authorization Rejected ErrorIf the VPN Concentrator communicates correctly with the authorization server, and the server correctly rejects an invalid user, the Manager displays an Authorization Rejected Error screen.

Figure 13-34 Authorization Server Test: Authorization Rejected Error Screen

To return to the Configuration | User Management | Groups | Authorization Servers | Test screen, click Retry the operation.



78-15731-01


Authorization Server Test: Authorization ErrorIf the VPN Concentrator cannot communicate with the authorization server, the Manager displays an Authorization Error screen. Error messages include:




Figure 13-35 Authorization Server Test: Authorization Error Screen

To return to the Configuration | User Management | Groups | Authorization Servers | Test screen, click Retry the operation.



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Accounting Servers

Configuration | User Management | Groups | Accounting ServersThis screen lets you add, modify, delete, or move external RADIUS accounting servers for a group. Accounting servers collect data on user connect time, packets transmitted, etc., under the VPN tunneling protocols: PPTP, L2TP, and IPSec. For more information on RADIUS accounting servers, see “Configuration | System | Servers | Authorization| Add or Modify”.

You can configure and prioritize up to 10 accounting servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative. If no accounting servers are configured for a group, the Global accounting server list applies.

Before you configure an accounting server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, UDP port, server secret, etc.). The VPN Concentrator functions as the client of these servers.

Figure 13-36 Configuration | User Management | Groups | Accounting Servers Screen

ServersThe Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Accounting Servers

ActionsTo configure and add a new accounting server, click Add. The Manager opens the Configuration | User Management | Groups | Accounting Servers | Add screen.

To modify parameters for an accounting server that has been configured, select the server from the list and click Modify. The Manager opens the Configuration | User Management | Groups | Accounting Servers | Modify screen.

To remove a server that has been configured, select the server from the list and click Delete.


The Manager refreshes the screen and shows the remaining servers in the list. When you delete a server, any clients with no other accounting server configured use the server configured for the base group.

To change the priority order for an accounting server click Move Up or Move Down to move it up or down on the list of servers configured for this group.

When you are finished configuring accounting servers, click Done. This action includes your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen.

Reminder:



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Accounting Servers | Add or Modify

Configuration | User Management | Groups | Accounting Servers | Add or Modify

This section lets you add or modify RADIUS accounting servers for a group.

Figure 13-37 Configuration | User Management | Groups | Accounting Servers |


Accounting ServerEnter the IP address or host name of the RADIUS accounting server, for example: 192.168.12.34. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)

Server PortEnter the UDP port number by which you access the accounting server. The default port number is 1646.

Note The latest RFC states that RADIUS accounting servers should be on UDP port number 1813, so you might need to change this default value to 1813.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Accounting Servers | Add or Modify

TimeoutEnter the time in seconds to wait after sending a query to the accounting server and receiving no response, before trying again. The minimum time is 1 second. The default time is 1 second. The maximum time is 30 seconds.

RetriesEnter the number of times to retry sending a query to the accounting server after the timeout period. If there is still no response after this number of retries, the system declares this server inoperative and uses the next accounting server in the list. The minimum number of retries is 0. The default is 3. The maximum is 10.

Server SecretEnter the server secret (also called the shared secret), for example: C8z077f. The field shows only asterisks.

VerifyRe-enter the server secret to verify it. The field shows only asterisks.

Add or Apply / CancelTo add this server to the list of configured user accounting servers, click Add. Or, to apply your changes to this user accounting server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | User Management | Groups | Accounting Servers screen. Any new server appears at the bottom of the Accounting Servers list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | Accounting Servers screen, and the Accounting Servers list is unchanged.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Address Pools

Configuration | User Management | Groups | Address PoolsThis screen lets you configure IP address pools from which the VPN Concentrator assigns addresses to clients on a per-group basis. If no address pools are defined for a group, the globally defined address pools apply.

Figure 13-38 Configuration | User Management | Groups | Address Pools Screen

IP Pool EntryThe IP Pool Entry list shows the configured address pools for the group, in priority order. Each entry show the range of IP addresses. If no address pools have been configured, the list shows --Empty--.

ActionsTo configure and add a new address pool, click Add. The Manager opens the Configuration | User Management | Groups | Address Pools | Add screen.

To modify an address pool that has been configured, select the pool entry from the list and click Modify. The Manager opens the Configuration | User Management | Groups | Address Pools | Modify screen.

To remove an address pool that has been configured, select the pool from the list and click Delete.When you are finished configuring address pools, click Done. This action includes your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen.

To change the priority order for an address pool, click Move Up or Move Down to move it up or down on the list of address pools configured for this group.

Reminder:



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Address Pools | Add or Modify

Configuration | User Management | Groups | Address Pools | Add or Modify


• Add a new pool of IP addresses from which the VPN Concentrator assigns addresses to clients.

• Modify an IP address pool that you have previously configured.

The IP addresses in the pool range must not be assigned to other network resources.

Figure 13-39 Configuration | User Management | Groups | Address Pools | Add or Modify Screen

Range StartEnter the first IP address available in this pool. Use dotted decimal notation, for example: 10.10.147.100.

Range EndEnter the last IP address available in this pool. Use dotted decimal notation, for example: 10.10.147.177.

Add or Apply / CancelTo add this IP address pool to the list of configured pools, click Add. Or to apply your changes to this IP address pool, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | User Management | Groups | Address Pools screen. Any new pool appears at the end of the IP Pool Entry list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | Address Pools screen, and the IP Pool Entry list is unchanged.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Client Update

Configuration | User Management | Groups | Client UpdateThis screen lets you configure client update entries.

The VPN Concentrator can automate the process of updating client software. The feature applies to the VPN Client and to the VPN 3002 hardware client as follows. When configured

• VPN Clients automatically receive notification that they should update their software from the named URL

• VPN 3002 hardware client software is automatically updated via TFTP.

Figure 13-40 Configuration | User Management | Groups | Client Update screen

Update entryThe Update Entry list displays configured client update entries.

ActionsTo configure and add a new client update entry, click Add. The Manager opens the Configuration | User Management | Groups | Client Update | Add screen.

To modify an address pool that has been configured, select the entry from the list and click Modify. The Manager opens the Configuration | User Management | Groups | Client Update | Modify screen.

To remove an client update entry that has been configured, select the entry from the list and click Delete.When you are finished configuring client update entries, click Done. This action includes your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen.

Reminder:



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Client Update | Add or Modify

Configuration | User Management | Groups | Client Update | Add or Modify

These screens let you configure client update parameters.

Figure 13-41 Configuration | User Management | Groups | Client Update | Add or Modify Screens

Client TypeEnter the client type you want to update.

• For the VPN Client: Enter the Windows operating systems to notify:

– Windows includes all Windows based platforms.

– Win9X includes Windows 95, Windows 98, and Windows ME platforms.

– WinNT includes Windows NT 4.0, Windows 2000, and Windows XP platforms.

The entry must be exact, including case and spacing.

Note The VPN Concentrator sends a separate notification message for each entry in a Client Update list. Therefore your client update entries must not overlap. For example, the value Windows includes all Windows platforms, and the value WinNT includes Windows NT 4.0, Windows 2000 and Windows XP platforms. So you would not include both Windows and WinNT.

• For the VPN 3002 Hardware Client: Your entry must be vpn3002, including case and spacing.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Client Update | Add or Modify

URLEnter the URL for the software/firmware image. This URL must point to a file appropriate for this client.

• For the VPN Client: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-3.5.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for http or 443 for https.

• For the VPN 3002 Hardware Client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.10.99.70/vpn3002-3.5.Rel-k9.bin

The directory is optional.

RevisionsEnter a comma separated list of software or firmware images appropriate for this client. The following caveats apply:

• The revision list must include the software version for this update.

• Your entries must match exactly those on the URL for the VPN Client, or the TFTP server for the VPN 3002.

• The URL above must point to one of the images you enter.

If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order.

• A VPN Client user must download an appropriate software version from the listed URL.

• The VPN 3002 Hardware Client software is automatically updated via TFTP.

Add or Apply / CancelTo add this client update entry to the list of configured update entries, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | User Management | Groups | Client Update screen. Any new entry appears at the bottom of the Update Entries list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | Client Update screen, and the Update Entries list is unchanged.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Bandwidth Policy

Configuration | User Management | Groups | Bandwidth PolicyFigure 13-42 Configuration | User Management | Groups | Bandwidth Policy Screen

Click the interface on which you want to configure Bandwidth Management for this group.

To apply a bandwidth policy to a group on an interface, bandwidth management must be enabled on that interface. If you choose an interface on which bandwidth management is disabled, this warning appears.(See Figure 13-43.) You must enable bandwidth management on the interface before you can continue.

Figure 13-43 Configuration | User Management | Groups | Bandwidth Policy | Interfaces Screen 1

If you choose an interface on which bandwidth management is enabled, the Configuration | User Management | Groups | Bandwidth Policy | Interfaces screen appears. (See Figure 13-4.)


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | Bandwidth Policy | Interfaces

Configuration | User Management | Groups | Bandwidth Policy | Interfaces

This screen lets you apply a group-wide bandwidth policy.

To configure bandwidth policy for interfaces, use the Bandwidth tab on the Configuration | Interfaces | Ethernet 1 2 3 screen.

Before you can apply a bandwidth policy to a group, you must first:

• Define the policy. You do not define the policy itself on this screen. To define bandwidth policies, use the Configuration | Policy Management | Traffic Management | Bandwidth Policies screen.

• Enable bandwidth management on the interface the group is using. To enable bandwidth management on an interface, use the Configuration | Interfaces | Ethernet 1 2 3 screen, Bandwidth Parameters tab.

• If you want the group to use a bandwidth reservation policy, you must first apply a bandwidth reservation policy to the interface the group is using. To apply a policy to an interface, use the Configuration | Interfaces | Ethernet 1 2 3 screen, Bandwidth Parameters tab.

Figure 13-44 Configuration | User Management | Groups | Bandwidth Policy Screen

Policy

Select a bandwidth policy for the group for this interface. If you do not want to apply a Bandwidth Management policy here, then select None.

Bandwidth Aggregation

Enter a value for the minimum bandwidth to reserve for this group and select a unit of measurement:




The default value of Bandwidth Aggregation is 0. The default unit of measurement is bps. If you want the group to share in the available bandwidth on the interface, enter 0.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | WebVPN Servers and URLs

Apply / CancelTo apply this bandwidth policy, click Apply. This action includes your entry in the active configuration. The Manager returns to the Configuration | User Management | Groups | Bandwidth Policy screen.

To discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | Bandwidth Policy screen, and the active configuration is unchanged.

Configuration | User Management | Groups | WebVPN Servers and URLs

This section lets you configure access to network resources for WebVPN users in this group. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.


Note End users need Sun Microsystems Java™ Runtime Environment (version 1.4 or later) for application access to work properly.

Figure 13-45 Configuration | User Management | Groups | WebVPN Servers and URLs Screen


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | WebVPN Servers and URLs | Add or Modify

Servers and URLsThis box lists all the servers and URLs that are accessible over a WebVPN connection to users in this group.

ActionsTo configure and add a new WebVPN server and URL entry, click Add. The Manager opens the Configuration | User Management | Groups | WebVPN Servers and URLs | Add screen.

To modify a server and URL entry that has been configured, select the entry from the list and click Modify. The Manager opens the Configuration | User Management | Groups | WebVPN Servers and URLs | Modify screen.

To remove a WebVPN server entry that has been configured, select the entry from the list and click Delete.When you are finished configuring entries, click Done. This action includes your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen.

Reminder:


Configuration | User Management | Groups | WebVPN Servers and URLs | Add or Modify

This section lets you configure servers and URLs that users in this group can access through a WebVPN connection. The types of servers you configure here include HTTP and file servers that provide the following resources:

• file shares

• internal websites

• e-mail proxies

• e-mail servers.

The user home page displays all servers that you configure here. If you configure no servers or URLs for the group, the global list of users and servers (Configuration | Tunneling and Security | WebVPN | Servers and URLs) is available to users in this group.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | WebVPN Servers and URLs | Add or Modify

Figure 13-46 Configuration | User Management | Groups | WebVPN Servers and URLs | Add/Modify

Screen

NameEnter a short name or description that identifies this resource to end users.

Server TypeSelect the type of server you are configuring.

• CIFS servers are file servers.

• HTTP servers are web servers.

• HTTPS servers are SSL encrypted web servers.

Remote ServerEnter the URL, DNS name, or network path of the remote server for end users to access.

Add or Apply/CancelTo add this entry to the list of configured servers and URLs, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | User Management | Groups | WebVPN Server and URLs screen. Any new entry appears at the end of the Servers and URLs list.

To discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | WebVPN Server and URLs screen, and the Servers and URLs list is unchanged.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | WebVPN Port Forwarding

Configuration | User Management | Groups | WebVPN Port Forwarding

WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application.



• Telnet


• Perforce

• Outlook Express

• Lotus Notes


Note Port Forwarding does not work with some SSL/TLS versions. See Configuration | Tunneling and Security | SSL | Encryption | SSL Version field for more information.

Figure 13-47 Configuration | User Management | Groups | WebVPN Port Forwarding Screen


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Groups | WebVPN Port Forwarding Add or Modify

Forwarded PortsThis box lists all the applications that users in this group can access over a WebVPN connection. The format is:

Application name (Local TCP port -> Remote application server name or IP address:Remote TCP port).

ActionsTo configure and add a new application over WebVPN, click Add. The Manager opens the Configuration | User Management | Groups | WebVPN Port Forwarding | Add screen.

To modify an already configured application, select the entry from the list and click Modify. The Manager opens the Configuration | User Management | Groups | WebVPN Port Forwarding | Modify screen.

To remove an application that has been configured, select the entry from the list and click Delete.When you are finished configuring entries, click Done. This action includes your settings in the active configuration. The Manager returns to the Configuration | User Management | Groups screen.

Reminder:


Configuration | User Management | Groups | WebVPN Port Forwarding Add or Modify

This screen lets you add or modify access to TCP-based applications for users in the group. You can have a maximum of 252 port forwarding entries.

Figure 13-48 Configuration | User Management | Groups |WebVPN Port Forwarding Add/Modify Screen


78-15731-01


NameEnter a name or description by which remote users can readily identify the service or application.

Local TCP PortAssign a TCP port on the user’s PC for this application to use. In the PC’s hosts file, the VPN Concentrator appends this local TCP port to the PC’s loopback IP address. This is how it uniquely names an application when the remote server is identified by IP address. If the you use a hostname to identify the remote server, the VPN Concentrator appends the hostname to the loopback address, and ignores the local TCP port value.

Set the port in the range from 1024 to 65535 to avoid conflicts with existing services that may be on the user's workstation.

Remote ServerEnter the hostname or IP address of the remote server that supports this service or application.

While the VPN Concentrator accepts either IP addresses or hostnames, we recommend using hostnames because it is easier. If you use hostnames, you do not have to change the IP address of the server for client applications depending on whether the user is accessing these application locally or remotely. The following sections explain why this is so.

Using Hostnames vs. IP Addresses

When you use a hostname to identify a remote server, the JAVA applet modifies the WebVPN Application Access hosts file (assuming the OS is Windows, and you have administrative privileges on the PC) to create an entry for each application server. For example, when you configure your first Port Forwarding remote server with hostname johndoew2ksrv, the Java applet creates a backup copy of the original hosts file, and then modifies the hosts file to include a WebVPN entry that maps johndoew2ksrv to a loopback IP address of 127.0.0.2. If your second port forwarding entry is NotesServer, the JAVA applet adds to the hosts file an entry that maps NotesServer to 127.0.0.3. These entries are then associated with the real remote application ports. Each entry is unique by virtue of the loopback address the JAVA applet assigns.

When you use an IP address to identify the remote server, the JAVA applet does not back up or modify the hosts file. It assigns each server the loopback IP address of 127.0.0.1 and the TCP port that is configured as the Local TCP Port. Since the assigned IP address is always 127.0.0.1, each entry must have a unique Local TCP Port to differentiate applications.

You configure client applications to communicate to a server address. When you use the hostname and remote TCP port, addressing information for application servers is the same regardless of the user’s location. When you use an IP address and local TCP port, addressing information changes as the user changes locations, and you have to reconfigure client applications on users’ PCs.

To summarize:

If you use IP addresses, users need to have client applications point to a 127.0.0.1 address and local port that can vary from location to location when connecting over WebVPN. They must reconfigure applications to a real IP address and port when they connect locally.

If you use hostnames, users can set their client applications to connect to the real hostname and TCP port for both remote WebVPN and directly connected sessions.


78-15731-01


Remote TCP PortEnter the TCP/IP port for the client PC to use for this service or application. This is the real TCP port for the application; for example, the 23 is the well-known port for Telnet

Add or Apply/CancelTo add this forwarded port to the list of configured forwarded ports, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | User Management | Groups | WebVPN Port Forwarding screen. Any new entry appears at the end of the Forwarded Ports list.

To discard your entries, click Cancel. The Manager returns to the Configuration | User Management | Groups | WebVPN Port Forwarding screen, and the Forwarded Ports list is unchanged.

The WebVPN Application Access WindowTo use applications over WebVPN, an end user clicks Application Access on the WebVPN home page. A Java applet opens the Application Access window, see Figure 13-49 for an example. This window displays the port forwarding applications previously configured in the Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add/Modify screens.

Figure 13-49 Example of a WebVPN Application Access Window

Application Access Window Fields

The fields in the Application Access window provide the following information.

Name

Identifies the application. This is the name that you assign in the Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add/Modify screen.


78-15731-01


Local

The hostname or IP address and TCP port on the user’s PC that this application uses.

Remote

The hostname or IP address and port of the remote server that supports this service or application.

Note If you use hostnames for the Remote Server parameter in the Configuration | Tunneling and Security | WebVPN Port Forwarding | Add/Modify screen, the values in the Local and Remote fields in the Application Access window are identical. See the section, “Using Hostnames vs. IP Addresses” to understand why it is simpler to use hostnames.

Bytes Out/In

Records data traffic for the application in the current session.

Sockets

The number of sockets for the application in the current session.

About the Hosts File WebVPN provides access to TCP-based applications by mapping application-specific ports on the end user’s PC to application-specific ports on servers behind the VPN Concentrator. When an end user accesses an application over WebVPN using hostnames to identify the application server, the VPN Concentrator modifies the Hosts file to include a mapping entry for that application.

Figure 15-33 provides an example of what the Hosts file would look like for the applications configured for the WebVPN session in Figure 13-49 above. Notice that the Hosts file has entries for the application servers identified by hostnames. The Hosts file does not record those identified by IP address.

Find the hosts file on your PC in WINDOWS > SYSTEM32 > DRIVERS > ETC.


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Users

Configuration | User Management | UsersThis section of the Manager lets you configure access, use, and authentication parameters for users. Users inherit parameters from the specific group to which they belong.

Configuring users in this section means configuring them in the VPN Concentrator internal authentication server. If you have not configured the internal authentication server, this screen displays a notice that includes a link to the Configuration | System | Servers | Authentication screen. The system also automatically configures the internal server when you add the first user.

See the discussion of groups and users in the User Management section at the beginning of this chapter. Remember:

• The maximum number of groups and users (combined) that you can configure depends on your VPN Concentrator model. (See Table 13-1.)

• A user can be a member of only one group.

• Users who are not members of a specific group are, by default, members of the base group. Therefore, to ensure maximum security and control, you should assign all users to appropriate specific groups, and you should configure base-group parameters carefully.

Figure 13-50 Configuration | User Management | Users Screen


78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Users

Current UsersThe Current Users list shows configured users in alphabetical order. If no users have been configured, the list shows --Empty--.

Add / Modify / DeleteTo configure a new user, click Add. The Manager opens the Configuration | User Management | Users | Add screen.

To modify a user that has been configured, select the user from the list and click Modify. The Manager opens the Configuration | User Management | Users | Modify screen.

To remove a user that has been configured, select the user from the list and click Delete.


The Manager refreshes the screen and shows the remaining users in the list.

Reminder:



78-15731-01

Chapter 13 User ManagementConfiguration | User Management | Users | Add or Modify

Configuration | User Management | Users | Add or ModifyThese Manager screens let you:

• Add: Configure a new user and that user’s parameters on the internal authentication server.

• Modify: Change parameters for a user that you have previously configured on the internal authentication server. The screen title identifies the user you are modifying.

For many of these parameters, you can simply specify that the user “inherit” parameters from a group; and a user can be assigned either to a configured group or to the base group. Users who are not members of a configured group are, by default, members of the base group.

On this screen, you configure four kinds of parameters:

• Identity Parameters: name, password, group, and IP address.

• General Parameters: access, performance, and allowed tunneling protocols.



Tip To streamline the configuration process, just fill in the Identity Parameters tab (assigning the user to a configured group), and click Add. Then select the user and click Modify. The user inherits the group parameters, and the Modify screen shows group parameters instead of base-group parameters.

Before configuring these parameters, you should configure the base-group parameters on the Configuration | User Management | Base Group screen, and configure group parameters on the Configuration |User Management | Groups screen.

Using the TabsThis screen includes four tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Add/Apply or Cancel.


78-15731-01


Identity Parameters TabThis tab lets you configure the name, password, group, and IP address for this user.

Figure 13-51Configuration | User Management | Users | Add or Modify, Identity Parameters Tab

Username

Enter a unique name for this user. The maximum name length is 64 characters. Entries are case-sensitive.

If you change this name, this user profile replaces the existing profile.

Password

Enter a unique password for this user. The minimum length must satisfy the minimum for the group to which you assign this user (base group or specific group). The maximum length is 32 characters. Entries are case-sensitive. The field displays only asterisks.

Verify

Re-enter the user password to verify it. The field displays only asterisks.

Group

Click the Group drop-down menu button and select the group to which you assign this user. The list shows specific groups you have configured, plus:

• --Base Group-- = The default group with its base-group parameters.


78-15731-01


IP Address

Enter the IP address, in dotted decimal notation, assigned to this user. Enter this address only if you assign this user to the base group or an internally configured group, and if you configure Use Address from Authentication Server on the Configuration | System | Address Management | Assignment screen. Otherwise, leave this field blank.

Subnet Mask

Enter the subnet mask, in dotted decimal notation, assigned to this user. Enter this mask only if you configure an IP address in the preceding field; otherwise leave this field blank.


78-15731-01


General Parameters TabThis tab lets you configure general access, performance, and allowed tunneling protocols that apply to this user.

Figure 13-52 Configuration | User Management | Users | Add or Modify Screen, General Tab

Value / Inherit?On the General tabbed section:

• The Inherit? checkbox refers to group parameters: Does this specific user inherit the given setting from the group?

– Add screen = inherit base-group parameter setting.

– Modify screen = inherit assigned-group parameter setting, which can be the base group or a configured group.

Users inherit settings from the group by default. To override the group setting, uncheck the box. If you uncheck the check box, you must enter or change any corresponding Value field; do not leave the field blank.


78-15731-01


• The Value column thus shows either group parameter settings that also apply to this user (Inherit? checked), or unique parameter settings configured for this user (Inherit? cleared). You cannot configure a grayed-out parameter.


Access Hours

Click the Access Hours drop-down menu button and select the named hours when this user can access the VPN Concentrator. Configure access hours on the Configuration | Policy Management | Access Hours screen. Default entries are:

• -No Restrictions- = No named access hours applied, which means that there are no restrictions on access hours.




Simultaneous Logins

Enter the number of simultaneous logins permitted for this user. The minimum value is 0, which disables login and prevents user access.

Note While there is no maximum limit, allowing several could compromise security and affect performance.

Idle Timeout

Enter this user’s idle timeout period in minutes. If there is no communication activity on the user’s connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. To disable timeout and allow an unlimited idle period, enter 0.

This value does not apply to WebVPN users. Set the WebVPN idle timeout in Configuration | Tunneling and Security | WebVPN | HTTPS Proxy Default Idle Timeout.


Enter this user’s maximum connection time in minutes. At the end of this time, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 2147483647 minutes (over 4000 years). To allow unlimited connection time, enter 0.


78-15731-01


Filter


Click the Filter drop-down menu button and select the filter to apply to this user:

• --None-- = No filter applied, which means there are no restrictions on tunneled data traffic.


• Public (Default) = Allow inbound and outbound tunneling protocols plus Internet Control Message Protocol (ICMP) and Virtual Router Redundancy Protocol (VRRP). Allow fragmented IP packets. Drop everything else, including source-routed packets. (This is the default filter for the public Ethernet interface.)

















SEP Card Assignment



78-15731-01


Check the SEP Card Assignment check box to assign this user to a given SEP or SEP-E module. If your system does not have a given SEP or SEP-E module, the parameter is ignored.


78-15731-01


Tunneling Protocols

Check the desired Tunneling Protocols check boxes to select the VPN tunneling protocols that this user can use. Configure parameters on the IPSec or PPTP/L2TP tabs as appropriate. Users can use only the selected protocols.

You cannot check both IPSec and L2TP over IPsec. The IPSec parameters differ for these two protocols, and you cannot configure a single user for both.

• PPTP = Point-to-Point Tunneling Protocol. PPTP is a client-server protocol, and it is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0, Windows 2000, and Windows XP.

• L2TP = Layer 2 Tunneling Protocol. L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding).

• IPSec = IP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. The Cisco VPN Client is an IPSec client specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients.

• L2TP over IPSec = L2TP using IPSec for security. L2TP packets are encapsulated within IPSec, thus providing an additional authentication and encryption layer for security. L2TP over IPSec is a client-server protocol that provides interoperability with the Windows 2000 VPN client. It is also compliant, but not officially supported, with other remote-access clients.


Note If no protocol is selected, this user cannot access or use the VPN.


78-15731-01


IPSec Parameters TabThis tab lets you configure IP Security Protocol parameters that apply to this user. If you checked IPSec or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure this section.

Figure 13-53 Configuration | User Management | Users | Add or Modify Screen, IPSec Tab


• The Inherit? check box refers to group parameters: Does this specific user inherit the given setting from the group?







78-15731-01


IPSec SA

Click the IPSec SA drop-down menu button and select the IPSec Security Association (SA) assigned to this IPSec user. During tunnel establishment, the user client and server negotiate a Security Association that governs authentication, encryption, encapsulation, key management, etc. You configure IPSec Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.

To use IPSec with remote-access clients, you must assign an SA. (For IPSec LAN-to-LAN connections, the system ignores this selection and uses parameters from the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens.)


• --None-- = No SA assigned.


• ESP-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128 authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.









78-15731-01


Store Password on Client

Check the Store Password on Client check box to allow this IPSec user (client) to store the login password on the client system. If you do not allow password storage, IPSec users must enter their password each time they seek access to the VPN. For maximum security, we recommend that you not allow password storage.



78-15731-01


PPTP/L2TP Parameters TabThis tab lets you configure PPTP and L2TP parameters that apply to this user. During tunnel establishment, the user client and server negotiate access and usage based on these parameters. Only clients that meet these criteria are allowed access. If you checked PPTP, L2TP, or L2TP over IPSec under Tunneling Protocols on the General Parameters tab, configure these parameters.

Figure 13-54 Configuration | User Management | Users | Add or Modify Screen, PPTP/L2TP Tab


• The Inherit? check box refers to group parameters: Does this specific user inherit the given setting from the group?





Note The setting of the Inherit? check box takes priority over an entry in a Value field. Verify that the status of the checkbox reflects your intended settings before you proceed.


78-15731-01


Use Client Address

Check the Use Client Address checkbox to accept and use an IP address that the client supplies. A client must have an IP address if it is to function as a tunnel endpoint; for maximum security, we recommend that you control the assigning of IP addresses and do not allow client-specified IP addresses.



Check the PPTP Authentication Protocols check boxes for the authentication protocols that this PPTP user (client) can use. To establish and use a VPN tunnel, users should be authenticated in accordance with some protocol.



You can allow a user to use fewer protocols than the assigned group, but not more. You cannot allow a grayed-out protocol.

• PAP = Password Authentication Protocol. This protocol passes cleartext username and password during authentication and is not secure. We recommend that you not allow this protocol.

• CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP, but it does not encrypt data.

• MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).

• MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths.


78-15731-01



Check the L2TP Authentication Protocols check boxes for the authentication protocols that this L2TP user (client) can use. To establish and use a VPN tunnel, users should be authenticated in accordance with some protocol.



You can allow a user to use fewer protocols than the assigned group, but not more. You cannot allow a grayed-out protocol.


• CHAP = Challenge-Handshake Authentication Protocol. In response to the server challenge, the client returns the encrypted [challenge plus password], with a cleartext username. It is more secure than PAP, but it does not encrypt data.

• MSCHAPv1 = Microsoft Challenge-Handshake Authentication Protocol version 1. This protocol is similar to, but more secure than, CHAP. In response to the server challenge, the client returns the encrypted [challenge plus encrypted password], with a cleartext username. Thus the server stores—and compares—only encrypted passwords, rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE (Microsoft Point-to-Point Encryption).

• MSCHAPv2 = Microsoft Challenge-Handshake Authentication Protocol version 2. This protocol is even more secure than MSCHAPv1. It requires mutual client-server authentication, uses session-unique keys for data encryption by MPPE, and derives different encryption keys for the send and receive paths.

Add or Apply/CancelWhen you finish setting or changing parameters on all tabs, click Add or Apply at the bottom of the screen to Add this user to the list of configured internal users, or to Apply your changes. Both actions include your settings in the active configuration. The Manager returns to the Configuration | User Management | Users screen. Any new users appear in alphabetical order in the Current Users list.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | User Management | Users screen, and the Current Users list is unchanged.


78-15731-01



78-15731-01

C


H A P T E R 14
Policy Management
Managing a VPN, and protecting the integrity and security of network resources, includes carefully designing and implementing policies that govern who can use the VPN, when, and what data traffic can flow through it. User management deals with “who can use it”; see “User Management” for that discussion. Policy management deals with “when” and “what data traffic can flow through it”; this section covers those topics.

You configure when remote users access the VPN under Access Hours.

You configure “what data traffic can flow through it” under Traffic Management. The Cisco VPN 3000 Concentrator hierarchy is straightforward: you use filters that consist of rules; and for IPSec rules, you apply Security Associations (SAs). Therefore, you first configure rules and SAs, then use them to construct filters.

Basically, a filter determines whether to forward or drop a data packet traversing the system. It examines the data packet in accordance with one or more rules—direction, source address, destination address, ports, and protocol—which determine whether to forward, apply IPSec and forward, or drop. And it examines the rules in the order they are arranged on the filter.

You apply filters to Ethernet interfaces, and thus govern all traffic through an interface. You also apply filters to groups and users, and thus govern tunneled traffic through an interface.

If you are applying different filters to a large number of groups or users, you might find it more convenient to configure filters on an external RADIUS server. For more information on configuring the VPN Concentrator to use external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.

With IPSec, the VPN Concentrator negotiates Security Associations during tunnel establishment that govern authentication, key management, encryption, encapsulation, etc. Thus IPSec also determines how to transform a data packet before forwarding it. You apply Security Associations to IPSec rules when you include those rules in a filter, and you apply SAs to groups and users.

The VPN Concentrator also lets you create network lists, which are lists of network addresses that are treated as a single object. These lists simplify the configuration of rules for complex networks. You can also use them to configure split tunneling for groups and users, and to configure IPSec LAN-to-LAN connections.

To fully configure the VPN Concentrator, you should first develop policies (network lists, rules, SAs, and filters), since they affect Ethernet interfaces, groups, and users. And once you have developed policies, we recommend that you configure and apply filters to interfaces before you configure groups and users.

Traffic management on the VPN Concentrator also includes NAT (Network Address Translation) functions that translate private network addresses into legitimate public network addresses. Again, you develop rules to configure and use NAT.


Chapter 14 Policy ManagementConfiguration | Policy Management

Configuration | Policy ManagementThis section of the Manager lets you configure policies that apply to groups, users, and VPN Concentrator Ethernet interfaces.

Policies govern:

• Access Hours: when remote users can access the VPN Concentrator.

• Traffic Management: what data traffic can flow through the VPN Concentrator, as governed by:

– Network Lists: lists of networks grouped as single objects.

– Rules: detailed parameters that govern the handling of data packets.

– SAs: IPSec Security Associations.

– Filters: structures for applying aggregated rules.

– NAT: Network Address Translation.

– Bandwidth Policies: policies prioritizing network traffic.

• Certificate Group Matching: which fields in a distinguished name to use for matching a user’s certificate to a permission group.

Figure 14-1 Configuration | Policy Management Screen


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Access Hours

Configuration | Policy Management | Access HoursThis section of the Manager lets you configure access times, to control when remote-access groups and users can access the VPN Concentrator. You assign access hours to groups and users under Configuration | User Management. Access hours do not apply to LAN-to-LAN connections.

Figure 14-2 Configuration | Policy Management | Access Hours Screen

Current Access HoursThe Current Access Hours list shows the names of configured access times. The Cisco-supplied default access times are:

• Never = Never. No access at any time.

• Business Hours = Monday through Friday, 9 a.m. to 5 p.m.

Additional access times that you configure appear in the list.

Add / Modify / DeleteTo configure and add a new access time to the list, click Add. The Manager opens the Configuration | Policy management | Access Hours | Add screen.

To modify a configured access time, select the entry from the list and click Modify. The Manager opens the Configuration | Policy management | Access Hours | Modify screen.

To remove a configured access time, select the entry from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the Current Access Hours list.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Access Hours | Add or Modify

Configuration | Policy Management | Access Hours | Add or Modify


• Add: Configure and add a new access time to the list of configured access times.

• Modify: Modify a configured access time. Changing an access time has no effect on connected users, since the parameter is checked only when the tunnel is established. The change affects subsequent connections, however.

Figure 14-3 Configuration | Policy Management | Access Hours | Add or Modify Screens


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Access Hours | Add or Modify

NameEnter a unique name for this set of access hours. Maximum is 48 characters.

Sunday - SaturdayFor each day of the week, click the Sunday - Saturday drop-down menu button and choose:

• during = Allow access during the hours in the range (default).

• except = Allow access at times except the hours in the range.

Enter or edit hours in the range fields. Times are inclusive: starting time through ending time. Enter times as HH:MM:SS and use 24-hour notation, for example: enter 5:30 p.m. as 17:30. By default, all ranges are 00:00:00 to 23:59:59.

Add or Apply / CancelTo add this access time to the list, click Add. Or to apply your changes for this access time, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Access Hours screen. Any new entry appears in the Current Access Times list.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Access Hours screen, and the Current Access Times list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management

Configuration | Policy Management | Traffic ManagementThis section of the Manager lets you configure network lists, rules, filters, and security associations, as well as network address translation and bandwidth policies. These features let you control the data traffic through the VPN Concentrator.

• Network lists let you treat lists of network addresses as a single object, thus simplifying the configuration of rules for complex networks.

• Filters consist of rules; and IPSec rules (rules in which you configure an Apply IPSec action) also have security associations. Therefore you first configure any network lists, then rules and SAs, and finally filters.

A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the default action specified in the filter.

You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they apply to all traffic. You also apply filters to groups and users under Configuration | User Management; these filters apply to tunneled traffic only.

• Network address translation (NAT) translates private network addresses into an IANA-assigned public network address, and vice versa, and thus allows traffic routing between networks that have overlapping private network addresses.

• Bandwidth policies let you set minimum and maximum amounts of bandwidth per group.

Figure 14-4 Configuration | Policy Management | Traffic Management Screen


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Network Lists

Configuration | Policy Management | Traffic Management | Network Lists

This section of the Manager lets you configure network lists, which are lists of networks that are grouped as single objects. Network lists make configuration easier: for example, you can use a network list to configure one filter rule for a set of networks rather than configuring separate rules for each network.

You can use network lists in configuring filter rules (see Configuration | Policy Management | Traffic Management | Rules). You can also use them to configure split tunneling for groups and users (see Configuration | User Management), and to configure IPSec LAN-to-LAN connections (see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN).

The Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.

A single network list can contain a maximum of 200 network entries. The Manager does not limit the number of network lists you can configure.

Figure 14-5 Configuration | Policy Management | Traffic Management | Network Lists Screen


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Network Lists

Network ListThe Network List field shows the names of the network lists you have configured. If no lists have been configured, the field shows --Empty--.

Add / Modify / Copy / DeleteTo configure and add a new network list, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Network Lists | Add screen.

To modify a configured network list, select the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Network Lists | Modify screen.

To copy a configured network list, modify it, and save it with a new name, select the list and click Copy. See the Configuration | Policy Management | Traffic Management | Network Lists | Copy screen.

To delete a configured network list, select the list and click Delete. If the network list is configured on a filter rule or an IPSec LAN-to-LAN connection, the Manager displays an error message indicating the action to take before you can delete the list. Otherwise, there is no confirmation or undo. The Manager deletes the list, refreshes the screen, and shows the remaining network lists.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy

Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy


• Add: Configure and add a new network list.

• Modify: Modify a previously configured network list.

• Copy: Copy a configured network list, modify its parameters, save it with a new name, and add it to the configured network lists.

On the Add and Modify screens, the Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.

Figure 14-6 Configuration | Policy Management | Traffic Management | Network Lists |

Add, Modify, or Copy Screens


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy

List NameEnter a unique name for this network list. Maximum 48 characters, case-sensitive. Spaces are allowed.

If you use the Generate Local List feature on the Add screen, enter this name after the system generates the network list.

Network ListEnter the networks in this network list. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is a network IP address and w.w.w.w is a wildcard mask.

Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.

If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.

You can include a maximum of 200 network/wildcard entries in a single network list.

Generate Local ListOn the Add or Modify screen, click the Generate Local List button to have the Manager automatically generate a network list containing the first 200 private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table (see Monitoring | Routing Table), and Inbound RIP must be enabled on that interface (see Configuration | Interfaces). The Manager refreshes the screen after it generates the list, and you can then edit the Network List and enter a List Name.

Note If you click Apply, the generated list replaces any existing entries in the Network List.

Add or Apply / CancelTo add this network list to the configured network lists, click Add. Or to apply your changes to this network list, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | Network Lists screen. Any new entry appears at the bottom of the Network List field.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Network Lists screen, and the Network Lists field is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Rules

Configuration | Policy Management | Traffic Management | Rules

This section of the Manager lets you add, configure, modify, copy, and delete filter rules. You use rules to construct filters.

Caution The Cisco-supplied default rules are intended as templates that you should examine and modify to fit your network and security needs. Unmodified, or incorrectly applied, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter. For example, the default Incoming HTTP rules are intended to allow an administrator outside the private network to manage the VPN Concentrator with a browser. Unmodified, they could allow browser connections to any system on the private network. If you apply these rules to a filter, you should at least change the Source and Destination Address to limit the connections.

Figure 14-7 Configuration | Policy Management | Traffic Management | Rules Screen


78-15731-01


Filter RulesThe Filter Rules list shows the configured rules that are available to apply to filters. The list shows the rule name and the action/direction in parentheses. The rules are listed in the order they are configured.

Cisco supplies several default rules that you can modify and use. See Table 14-1 for their parameters, and see Configuration | Policy Management | Traffic Management | Rules | Add for explanations of the parameters.

For all the default rules except VRRP In and Out, these parameters are identical:

• Action = Forward

• Source Address = Use IP Address/Wildcard-Mask = 0.0.0.0/255.255.255.255 = any address

• Destination Address = Use IP Address/Wildcard-Mask = 0.0.0.0/255.255.255.255 = any address

For maximum security and control, we recommend that you change the Source Address and Destination Address to fit your network addressing and security scheme.

Table 14-1 Cisco-Supplied Default Filter Rules

Filter Rule Name Direction ProtocolTCPConnection

TCP/UDPSource Port

TCP/UDPDestination Port

ICMPPacketType

Any In Inbound Any Don’t Care Range 0-65535 Range 0-65535 0-255

Any Out Outbound Any Don’t Care Range 0-65535 Range 0-65535 0-255

CRL over LDAP In

Inbound TCP Don’t Care LDAP (389) Range 0-65535 —

CRL over LDAP Out

Outbound TCP Don’t Care Range 0-65535 LDAP (389) —

GRE In Inbound GRE — — — —

GRE Out Outbound GRE — — — —

ICMP In Inbound ICMP — — — 0-18

ICMP Out Outbound ICMP — — — 0-18

IKE In Inbound UDP — Range 0-65535 IKE (500) —

IKE Out Outbound UDP — IKE (500) Range 0-65535 —

Incoming HTTP In

Inbound TCP Don’t Care Range 0-65535 HTTP (80) —

Incoming HTTP Out

Outbound TCP Don’t Care HTTP (80) Range 0-65535 —

Incoming HTTPS In

Inbound TCP Don’t Care Range 0-65535 HTTPS (443) —

Incoming HTTPS Out

Outbound TCP Don’t Care HTTPS (443) Range 0-65535 —

IPSec-ESP In Inbound ESP — — — —

L2TP In Inbound UDP — Range 0-65535 L2TP (1701) —

L2TP Out Outbound UDP — L2TP (1701) Range 0-65535 —

LDAP In Inbound TCP Don’t Care Range 0-65535 LDAP (389) —


78-15731-01


LDAP Out Outbound TCP Don’t Care LDAP (389) Range 0-65535 —

OSPF In Inbound OSPF — — — —

OSPF Out Outbound OSPF — — — —

Outgoing HTTP In

Inbound TCP Don’t Care HTTP (80) Range 0-65535 —

Outgoing HTTP Out

Outbound TCP Don’t Care Range 0-65535 HTTP (80) —

Outgoing HTTPS In

Inbound TCP Don’t Care HTTPS (443) Range 0-65535 —

Outgoing HTTPS Out

Outbound TCP Don’t Care Range 0-65535 HTTPS (443) —

PPTP In Inbound TCP Don’t Care Range 0-65535 PPTP (1723) —

PPTP Out Outbound TCP Don’t Care PPTP (1723) Range 0-65535 —

RIP In Inbound UDP — RIP (520) RIP (520) —

RIP Out Outbound UDP — RIP (520) RIP (520) —

SSH In Inbound TCP Don’t Care Range 0-65535 SSH (22) —

SSH Out Outbound TCP Don’t Care SSH (22) Range 0-65535 —

Telnet/SSL In Inbound TCP Don’t Care Range 0-65535 Telnet/SSL (992) —

Telnet/SSL Out Outbound TCP Don’t Care Telnet/SSL (992)

Range 0-65535 —

VCA In Inbound UDP — Range 0-65535 9023 —

VCA Out Outbound UDP — 9023 Range 0-65535 —

VRRP In1 Inbound Other 112 — — — —

VRRP Out1 Outbound Other 112 — — — —

1. For VRRP In and VRRP Out, the Destination Address is 224.0.0.18/0.0.0.0, which is the IANA-assigned IP multicast address for VRRP.

Table 14-1 Cisco-Supplied Default Filter Rules (continued)

Filter Rule Name Direction ProtocolTCPConnection

TCP/UDPSource Port

TCP/UDPDestination Port

ICMPPacketType


78-15731-01


Add / Modify / Copy / DeleteTo configure a new rule, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Rules | Add screen.

To modify a rule that has been configured, select the rule from the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Rules | Modify screen.

To copy a configured rule, modify it, and save it with a new name, select the rule from the list and click Copy. See the Configuration | Policy Management | Traffic Management | Rules | Copy screen.

To delete a configured rule, select the rule from the list and click Delete.

• If the rule is not being used in a filter, the Manager deletes the rule, refreshes the screen, and shows the remaining rules in the list. There is no confirmation or undo.

• If the rule is being used in a filter, the Manager asks you to confirm the deletion. See the Configuration | Policy Management | Traffic Management | Rules | Delete screen.

• You cannot delete a rule that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.

Note Deleting a rule deletes it from every filter that uses it and deletes it from the VPN Concentrator active configuration. To remove a rule from a filter but retain it in the active configuration, see the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy

Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy


• Add: Configure and add a new filter rule to the list of filter rules.

• Modify: Modify a previously configured filter rule.

• Copy: Copy a configured rule, modify its parameters, save it with a new name, and add it to the list of filter rules.

The VPN Concentrator applies rule parameters to data traffic (packets) in the order presented on this screen (from Protocol down) to see if they match. If all parameters match, the system takes the specified Action. If at least one parameter does not match, the system ignores the rest of this rule and examines the packet in accordance with the next rule, and so forth.

Note On the Modify screen, any changes take effect as soon as you click Apply. Changes affect all filters that use this rule. If this rule is being used by an active filter, changes might affect tunnel traffic.

Creating Rules for a Firewall Filter

If you are creating rules for a VPN Client firewall filter:

• Keep in mind that the VPN Concentrator pushes these rules down to the VPN Client, so you should create and define these rules relative to the VPN Client, not the VPN Concentrator. In this type of configuration, “in” and “out” refer to traffic inbound to and outbound from the VPN Client.

• When configuring firewall rules, be aware that the VPN Client integrated firewall is stateful only for TCP, UDP, and ICMP protocols. For all other protocols, it uses packet filtering.

• Two of the parameters on this screen are not relevant: TCP Connection and ICMP Packet Type. The VPN Client ignores these parameters.

• Choose either Drop or Forward from the Action drop-down menu. The other choices are not relevant to firewall configuration and the VPN Client ignores them.

For more information on configuring rules for VPN Client firewall filters, refer to the VPN Client Administrator Guide.


78-15731-01


Figure 14-8 Configuration | Policy Management | Traffic Management | Rules |

Add, Modify, or Copy Screen


78-15731-01


Rule NameEnter a unique name for this rule. Maximum is 48 characters.

DirectionClick the Direction drop-down menu button and choose the data direction to which this rule applies:

• Inbound = Into the VPN Concentrator interface; or into the VPN tunnel from the remote client or host. (This is the default selection.)

• Outbound = Out of the VPN Concentrator interface; or out of the VPN tunnel to the remote client or host.

Note If you are configuring this rule to use for a VPN Client firewall filter, the direction is relative to the VPN Client, not the VPN Concentrator. For example, “Inbound” in a VPN Client firewall filter means into the VPN Client interface.

ActionClick the Action drop-down menu button and choose the action to take if the data traffic (packet) matches all parameters that follow.

Note If you are configuring this rule to use for a VPN Client firewall filter, you must choose either Drop or Forward.

The choices are:

• Drop = Discard the packet (the default choice).

• Forward = Allow the packet to pass.

• Drop and Log = Discard the packet and log a filter debugging event (FILTERDBG event class). See Configuration | System | Events and see the following note.

• Forward and Log = Allow the packet to pass and log a filter debugging event (FILTERDBG event class). See the following note.

• Apply IPSec = Apply IPSec to the packet. Apply packet authentication, encryption, etc. a in accordance with parameters that are specified in a Security Association. You must configure a Security Association if you choose this action. Also, you can assign an SA to this rule only if you choose this (or the following) action; see Configuration | Policy Management | Traffic Management | Security Associations. See following note.

• Apply IPSec and Log = Apply IPSec to the packet and log a filter debugging event (FILTERDBG event class). See the following notes.

Note The Log actions are intended for use only while debugging filter activity. Since they generate and log an event for every matched packet, they consume significant system resources and might seriously degrade performance.


78-15731-01


Note The Apply IPSec actions are for LAN-to-LAN traffic only, not for remote-access traffic. Remote-access IPSec traffic is authenticated and encrypted in accordance with the SAs negotiated with the remote client (tunnel group) and user. In LAN-to-LAN connections, individual hosts on the LANs do not negotiate SAs. The VPN Concentrator automatically creates and applies appropriate rules when you create a LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN.

Protocol or OtherThis parameter refers to the IANA (Internet Assigned Numbers Authority) assigned protocol number in an IP packet. The descriptions include the IANA number, in brackets, for reference.

Click the Protocol or Other drop-down menu button and choose the protocol to which this rule applies.

• Any = Any protocol [255] (the default choice).

• ICMP = Internet Control Message Protocol [1] (used by ping, for example). If you choose this protocol, you should also configure ICMP Packet Type.

• TCP = Transmission Control Protocol [6] (connection-oriented, for example: FTP, HTTP, SMTP, and Telnet). If you choose this protocol, you should configure TCP Connection and TCP/UDP Source Port or Destination Port.

• EGP = Exterior Gateway Protocol [8] (used for routing to exterior networks).

• IGP = Interior Gateway Protocol [9] (used for routing within a domain).

• UDP = User Datagram Protocol [17] (connectionless, for example: SNMP). If you choose this protocol, you should also configure TCP/UDP Source Port or Destination Port.

• ESP = Encapsulation Security Payload [50] (applies to IPSec).

• AH = Authentication Header [51] (applies to IPSec).

• GRE = Generic Routing Encapsulation [47] (used by PPTP).

• RSVP = Resource Reservation Protocol [46] (reserves bandwidth on routers).

• IGMP = Internet Group Management Protocol [2] (used in multicasting).

• OSPF = Open Shortest Path First [89] (interior routing protocol).

• Other = Other protocol not listed here. If you choose Other here, you must enter the IANA-assigned protocol number in the Other field.


78-15731-01


TCP Connection

Note Do not configure this field if you are using this rule for a client firewall filter.

Click the TCP Connection drop-down menu button and choose whether this rule applies to packets from established TCP connections. For example, you might want a rule to forward only those TCP packets that originate from established connections on the public network interface, to provide maximum protection against “spoofing.”

The choices are:

• Established = Apply rule to packets from established TCP connections only.

• Don’t Care = Apply rule to any TCP packets, whether from established connections or new connections (the default choice).

Source AddressSpecify the packet source address that this rule checks (the address of the sender).

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the source addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose:

• Use IP Address/Wildcard-mask, which lets you enter a network address.

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields.

Note An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:0.0.0.0/255.255.255.255 = any address10.10.1.35/0.0.0.0 = only 10.10.1.3510.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses

IP Address

Enter the source IP address in dotted decimal notation. Default is 0.0.0.0.

Wildcard-mask

Enter the source address wildcard mask in dotted decimal notation. Default is 255.255.255.255.


78-15731-01


Destination AddressSpecify the packet destination address that this rule checks (the address of the recipient).

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the destination addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose Use IP Address/Wildcard-mask, which lets you enter a network address.

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. See the preceding wildcard mask note.

IP Address

Enter the destination IP address in dotted decimal notation. The default value is 0.0.0.0.

Wildcard-mask

Enter the destination address wildcard mask in dotted decimal notation. The default value is 255.255.255.255.

TCP/UDP Source PortIf you chose TCP or UDP under Protocol, choose the source port number that this rule checks.

Many different protocols or processes run in TCP or UDP environments, and each TCP or UDP process running on a network host is assigned a port number. Thus an IP address plus a port number uniquely identifies a process on a network host. Only TCP and UDP protocols use port numbers. The Internet Assigned Numbers Authority (IANA) manages port numbers and classifies them as Well Known, Registered, and Dynamic (or Private). The Well Known ports are those from 0 through 1023; the Registered Ports are those from 1024 through 49151; and the Dynamic ports are those from 49152 through 65535.

Port or Range

Click the Port or Range drop-down menu button and choose the process (port number):

• ECHO (7) = Used by ping for network testing.

• DISCARD (9) = Used for network debugging and measurement.

• FTP-DATA (20) = File Transfer Protocol, data port.

• FTP (21) = File Transfer Protocol, control port.

• SSH (22) = Secure Shell Protocol.

• TELNET (23) = Terminal emulation.

• SMTP (25) = Simple Mail Transfer Protocol.

• DNS (53) = Domain Name System.

• TFTP (69) = Trivial File Transfer Protocol.


78-15731-01


• FINGER (79) = Network user inquiry.

• HTTP (80) = Hypertext Transfer Protocol.

• POP3 (110) = Post Office Protocol, version 3.

• NNTP (119) = Network News Transfer Protocol.

• NTP (123) = Network Time Protocol.

• NetBIOS Name Service (137) = Network Basic Input Output System, host name assignment.

• NetBIOS (138) = NetBIOS datagram service.

• NetBIOS Session (139) = NetBIOS session management.

• IMAP (143) = Internet Mail Access Protocol.

• SNMP (161) = Simple Network Management Protocol.

• SNMP-TRAP (162) = SNMP event or trap handling.

• BGP (179) = Border Gateway Protocol.

• LDAP (389) = Lightweight Directory Access Protocol.

• HTTPS (443) = HTTP over a secure session (TLS/SSL).

• SMTPS (465) = SMTP over a secure session (TLS/SSL).

• IKE (500) = Internet Key Exchange Protocol (was ISAKMP/Oakley).

• SYSLOG (514) = UNIX syslog server (UDP only).

• RIP (520) = Routing Information Protocol (UDP only).

• NNTPS (563) = NNTP over a secure session (TLS/SSL).

• LDAP/SSL (636) = LDAP over a secure session (TLS/SSL).

• Telnet/SSL (992) = Telnet over a secure session (TLS/SSL).

• LapLink (1547) = Remote file management and mail.

• L2TP (1701) = Layer 2 Tunneling Protocol.

• PPTP (1723) = Point-to-Point Tunneling Protocol.

• NAT-T (4500) = NAT Traversal

• Range = To specify a range of port numbers, or to specify a port not on the Cisco-supplied list, select Range here (the default selection) and enter—in the Range [start] to [end] fields—the inclusive range of port numbers to which this rule applies. To specify a single port number, enter the same number in both fields. Defaults are 0 to 65535 (all ports). The Range fields are ignored if you choose a specific port from the drop-down list.

TCP/UDP Destination PortIf you chose TCP or UDP under Protocol, choose the destination port number that this rule checks. See the preceding explanation of port numbers under TCP/UDP Source Port.

Port or Range

Click the Port or Range drop-down menu button and choose the process (port number). The choices are the same as listed under TCP/UDP Source Port, Port or Range.


78-15731-01


ICMP Packet Type

Note Do not configure this field if you are using this rule for a client firewall filter.

The ICMP protocol has many messages that are identified by a type number. For example:

0 = Echo Reply

8 = Echo

13 = Timestamp

14 = Timestamp Reply

17 = Address Mask Request

18 = Address Mask Reply

The Internet Assigned Numbers Authority (IANA) manages these ICMP type numbers.

If you selected ICMP under Protocol, enter the range of ICMP packet type numbers to which this rule applies. To specify a single packet type, enter the same number in both fields. Defaults are 0 to 255 (all packet types). For example, to specify the Timestamp and Timestamp Reply types only, enter 13 to 14.

Add or Apply / CancelTo add this rule to the list of configured filter rules, click Add. Or to apply your changes to this rule, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If the rule is being used by an active filter, changes might affect tunnel traffic. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen. Any new rule appears in the Filter Rules list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Rules | Delete

Configuration | Policy Management | Traffic Management | Rules | Delete

This screen asks you to confirm deletion of a rule that is being used in a filter. Doing so deletes the rule from all filters that use it, and deletes it from the VPN Concentrator active configuration. To remove a rule from a filter but retain it in the active configuration, see the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.

Figure 14-9 Configuration | Policy Management | Traffic Management | Rules | Delete Screen

Note The Manager deletes the rule from the filter as soon as you click Yes. If this rule is being used by an active filter, deletion might affect data traffic.

Yes / NoTo delete this rule from all filters that use it, and delete it from the active configuration, click Yes. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen and shows the remaining rules in the Filter Rules list.

Reminder:


To not delete this rule, click No. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Security Associations

Configuration | Policy Management | Traffic Management | Security Associations

This section of the Manager lets you add, configure, modify, and delete Security Associations (SAs). SAs apply only to IPSec tunnels. During tunnel establishment the two parties negotiate Security Associations that govern authentication, encryption, encapsulation, key management, etc. In other words, while rules and filters specify what traffic to manage, SAs tell how to do it.

IPSec configurations actually involve two SA negotiation phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within—the use of—the tunnel (the IPSec SA). You must configure IKE proposals before configuring Security Associations. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals, or click the IKE Proposals link on this screen.

You apply SAs to filter rules that are configured with an Apply IPSec action, for LAN-to-LAN traffic. See Configuration | Policy Management | Traffic Management | Rules. The VPN Concentrator automatically creates and applies appropriate rules when you create a LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN. You also apply SAs to groups and users, for remote-access traffic, under the IPSec Parameters section on the appropriate Configuration | User Management screens.

You can use IPSec in both client-to-LAN (remote-access) configurations and LAN-to-LAN configurations. The Cisco VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called “secure gateways”). The instructions in this section, however, assume peer VPN Concentrators.

The Cisco VPN Client supports these IPSec attributes:

• Main mode for negotiating phase one ISAKMP Security Associations (SAs) when using digital certificates for authentication

• Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using preshared keys for authentication

• Authentication Algorithms:

– ESP-MD5-HMAC-128

– ESP-SHA1-HMAC-160

• Authentication Modes:

– Preshared Keys

– X.509 Digital Certificates

• Diffie-Hellman Groups 1, 2, and 5


78-15731-01


• Encryption Algorithms:

– DES-56

– 3DES-168

– AES-128

– AES-192

– AES-256

– ESP-NULL

Note AES encryption algorithms work only with VPN Concentrator software versions 3.6 and later.

• Extended Authentication (XAuth)

• Mode Configuration (also known as ISAKMP Configuration Method)

• Tunnel Encapsulation Mode

• IP compression (IPComp) using LZS

Figure 14-10 Configuration | Policy Management | Traffic Management | Security Associations Screen


78-15731-01


IPSec SAsThe IPSec SAs list shows the configured SAs that are available. The SAs are listed in alphabetical order.

Cisco supplies default SAs that you can use or modify; see Table 14-2 and Table 14-3. See the Configuration | Policy Management | Traffic Management | Security Associations | Add section for explanations of the parameters.

Table 14-2 Cisco-Supplied Default Security Associations, Part 1

SA Name

Parameter ESP-DES-MD5ESP-3DES-MD5

ESP/IKE-3DES-MD5

ESP-3DES-NONE

Inheritance From Rule From Rule From Rule From Rule

IPSec Parameters

AuthenticationAlgorithm

ESP/MD5/HMAC-128

ESP/MD5/HMAC-128

ESP/MD5/HMAC-128

None

EncryptionAlgorithm

DES-56 3DES-168 3DES-168 3DES-168

Encapsulation Mode

Tunnel Tunnel Tunnel Tunnel

Perfect Forward Secrecy

Disabled Disabled Disabled Disabled

LifetimeMeasurement

Time Time Time Time

Data Lifetime 10000 KB 10000 KB 10000 KB 10000 KB

Time Lifetime 28800 sec 28800 sec 28800 sec 28800 sec

IKE Parameters

IKE Peer 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Negotiation Mode

Main Main Main Main

Digital Certificate

None (Use Preshared Keys)




IKE Proposal IKE-DES-MD5

IKE-DES-MD5

IKE-3DES-MD5

IKE-3DES-MD5


78-15731-01


Table 14-3 Cisco-Supplied Default Security Associations, Part 2

SA Name

ParameterESP-L2TP-TRANSPORT

ESP-3DES-MD5-DH7

ESP-3DES-MD5-DH5

ESP-AES-128-SHA

Inheritance From Rule From Rule Rule Rule

IPSec Parameters

AuthenticationAlgorithm

ESP/MD5/HMAC-128

ESP/MD5/HMAC-128

ESP/MD5/HMAC-128

ESP/SHA1/HMAC-160

EncryptionAlgorithm

DES-56 3DES-168 3DES-168 AES-128

Encapsulation Mode

Transport Tunnel Tunnel Tunnel

Perfect Forward Secrecy

Disabled Disabled Disabled Disabled

LifetimeMeasurement

Time Time Time Time

Data Lifetime 10000 KB 10000 KB 10000 KB 10000 KB

Time Lifetime 3600 sec 28800 sec 28800 sec 28800 sec

IKE Parameters

IKE Peer 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Negotiation Mode

Main Aggressive Aggressive Aggressive

Digital Certificate





IKE Proposal IKE-3DES-MD5 IKE-3DES-MD5-DH7

CiscoVPNClient-3DES-MD5-DH5

CiscoVPNClient-AES128-SHA


78-15731-01


Add / Modify / DeleteTo configure a new SA, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Add screen.

To modify an SA that has been configured, select the SA from the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Modify screen.

To delete a configured SA, select the SA from the list and click Delete.

• If the SA has not been assigned to a filter rule—even if it has been assigned to a group or user—the Manager deletes the SA, refreshes the screen, and shows the remaining SAs in the list. There is no confirmation or undo.

• If the SA has been assigned to a filter rule, the Manager asks you to confirm the deletion. See the Configuration | Policy Management | Traffic Management | Security Associations | Delete screen.

• You cannot delete an SA that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Security Associations | Add or Modify

Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify


• Add: Configure and add a new Security Association to the list of configured SAs.

• Modify: Modify a configured Security Association.

Note On the Modify screen, any changes take effect as soon as you click Apply. If the SA is being used by an active filter rule or group, changes might affect tunnel traffic.

Figure 14-11 Configuration | Policy Management | Traffic Management | Security Associations |



78-15731-01


SA NameEnter a unique name for this Security Association. Maximum is 48 characters.

InheritanceThis parameter specifies the granularity, or how many tunnels to build for this connection. Each tunnel uses a unique key.

Click the Inheritance drop-down menu button and choose:

• From Rule = One tunnel for each rule in the connection. A rule can specify multiple networks, thus many hosts can use the same tunnel. This is the default—and recommended—selection.

• From Data = One tunnel for every address pair within the address ranges specified in the rule. Each host uses a separate tunnel, and hence, separate keys. This selection is more secure but requires more processing overhead.

IPSec ParametersThese parameters apply to IPSec SAs, which are Phase 2 SAs negotiated under IPSec, where the two parties establish conditions for use of the tunnel.

Authentication AlgorithmThis parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as “data integrity” in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.

Click the Authentication Algorithm drop-down menu button and choose the algorithm:

• None = No data authentication.

• ESP/MD5/HMAC-128 = ESP protocol using HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default selection.

• ESP/SHA/HMAC-160 = ESP protocol using HMAC with the SHA-1 hash function using a 160-bit key. This selection is more secure but requires more processing overhead.


78-15731-01


Encryption AlgorithmThis parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.

Click the Encryption Algorithm drop-down menu button and choose the algorithm:

• Null = No packet encryption.

• DES-56 = Use DES encryption with a 56-bit key.

• 3DES-168 = Use Triple-DES encryption with a 168-bit key. This algorithm is the default.

• AES-128 = Use AES encryption with a 128-bit key.

• AES-192 = Use AES encryption with a 192-bit key.

• AES-256 = Use AES encryption with a 256-bit key. This algorithm is the most secure.

Encapsulation ModeThis parameter specifies the mode for applying ESP encryption and authentication; in other words, what part of the original IP packet has ESP applied.

Click the Encapsulation Mode drop-down menu button and choose the mode:

• Tunnel = Apply ESP encryption and authentication to the entire original IP packet (IP header and data), thus hiding the ultimate source and destination addresses. This is the default selection, and it is the most secure.

• Transport = Apply ESP encryption and authentication only to the transport layer segment (data only) of the original IP packet. This mode protects packet contents but not the ultimate source and destination addresses. Use this mode for Windows 2000 client compatibility.

Perfect Forward SecrecyThis parameter specifies whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPSec keys. Perfect Forward Secrecy is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless Perfect Forward Secrecy is specified. Perfect Forward Secrecy uses Diffie-Hellman techniques to generate the keys.


78-15731-01


Click the Perfect Forward Secrecy drop-down menu button and choose the Perfect Forward Secrecy option:

• Disabled = Do not use Perfect Forward Secrecy. IPSec session keys are based on Phase 1 keys. This is the default choice.

• Group 1 (768-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 1 to generate IPSec session keys, where the prime and generator numbers are 768 bits. This option is more secure but requires more processing overhead.

• Group 2 (1024-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 2 to generate IPSec session keys, where the prime and generator numbers are 1024 bits. This option is more secure than Group 1 but requires more processing overhead.

• Group 7 (ECC) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 7 (ECC) to generate IPSec session keys, where the elliptic curve field size is 163 bits. This option is the fastest and requires the least overhead. It is intended for use with the movianVPN client, but you can use it with any peers that support Group 7 (ECC).

Lifetime MeasurementThis parameter specifies how to measure the lifetime of the IPSec SA keys, which is how long the IPSec SA lasts until it expires and must be renegotiated with new keys. It is used with the Data Lifetime or Time Lifetime parameters.

Note If the peer proposes a shorter lifetime measurement, the VPN Concentrator uses that lifetime measurement instead.

Click the Lifetime Measurement drop-down menu button and choose the measurement method:

• Time = Use time (seconds) to measure the lifetime of the SA (the default). Configure the Time Lifetime parameter.

• Data = Use data (number of kilobytes) to measure the lifetime of the SA. Configure the Data Lifetime parameter.

• Both = Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time Lifetime and Data Lifetime parameters.

• None = No lifetime measurement. The SA lasts until terminated for other reasons. It lasts a maximum of 86400 seconds (24 hours).

Data LifetimeIf you chose Data or Both under Lifetime Measurement, enter the number of kilobytes of payload data after which the IPSec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.


78-15731-01


Time LifetimeIf you chose Time or Both under Lifetime Measurement, enter the number of seconds after which the IPSec SA expires. Minimum is 60 seconds, default is 28800 seconds (8 hours), maximum is 2147483647 seconds (about 68 years).

IKE ParametersThese parameters govern IKE SAs, which are Phase 1 SAs negotiated under IPSec, where the two parties establish a secure tunnel within which they then negotiate the IPSec SAs. In this IKE SA they exchange automated key management information under the IKE (Internet Key Exchange) protocol (formerly called ISAKMP/Oakley).

All these parameters (except IKE Peer) must be configured the same on both parties; the IKE Peer entries must mirror each other. If you create multiple IPSec SAs for use between two IKE peers, the IKE SA parameters must be the same on all SAs.

For best performance and interoperability, we strongly recommend that you use the default parameters where appropriate.

Connection Type(This field appears only when this Security Association is used in a LAN-to-LAN connection, and it appears only on the Security Associations | Modify page, not on the Security Associations | Add page.) View this field to determine the role of this VPN Concentrator in establishing the IKE tunnel of the LAN-to-LAN connection that uses this SA. This field is read-only.

• Bi-Directional: This VPN Concentrator can either initiate or accept IKE tunnels.

• Answer-Only: This VPN Concentrator only accepts IKE tunnels. It does not initiate them.

• Originate-Only: This VPN Concentrator only initiates IKE tunnels. It does not accept them.

To configure the Connection Type, see “Connection Type” on the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN Add/Modify screen.

IKE Peer(s)This parameter applies only to IPSec LAN-to-LAN configurations. It is ignored for IPSec client-to-LAN configurations.

On the Configuration | Policy Management | Traffic Management | Security Associations | Modify page, this field is read-only.

Enter the IP address of the remote peer VPN Concentrator. Use dotted decimal notation. This must be the IP address of the public interface on the peer VPN Concentrator.

This IP address must also match the Peer IP Address on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen. It must also match the Group Name for the LAN-to-LAN connection. When you configure the connection on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add screen, the Manager automatically creates a group with the Peer IP address as the Group Name. See Configuration | User Management for information on groups.

When you configure this parameter on the remote peer, enter the IP address of this VPN Concentrator. The entries must mirror each other.


78-15731-01


Negotiation ModeThis parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode that the initiator of the negotiation uses; the responder auto-negotiates.

Click the Negotiation Mode drop-down menu button and choose the mode:

• Aggressive = A faster mode using fewer packets and fewer exchanges, but which does not protect the identity of the communicating parties.

• Main = A slower mode using more packets and more exchanges, but which protects the identities of the communicating parties. This mode is more secure and it is the default selection.

Digital CertificateThis parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management.

Click the Digital Certificate drop-down menu button and choose the option. The list shows any digital certificates that have been installed, plus the following option:

• None (Use Preshared Keys) = Use preshared keys to authenticate the peer during Phase 1 IKE negotiations. This is the default selection.

Certificate TransmissionIf you configured authentication using digital certificates, choose the type of certificate transmission.

• Entire certificate chain = Send the peer the identity certificate and all issuing certificates. Issuing certificates include the root certificate and any subordinate CA certificates.

• Identity certificate only = Send the peer only the identity certificate.

IKE ProposalThis parameter specifies the set of attributes that govern Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. When the VPN Concentrator is acting as an IPSec initiator, this is the only IKE proposal it negotiates. As an IPSec responder, the VPN Concentrator checks all active IKE proposals in priority order, to see if it can find one that agrees with parameters in the initiator’s proposed SA. You must configure, activate, and prioritize IKE proposals before configuring Security Associations.

Click the IKE Proposal drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are:

• CiscoVPNClient-3DES-MD5 = Use preshared keys (XAUTH) and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys. This selection allows XAUTH user-based authentication and is the default.

• IKE-3DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys.


78-15731-01


• IKE-3DES-MD5-DH1 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 1 to generate SA keys. This selection is compatible with the Cisco VPN 3000 Client.

• IKE-DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use DES-56 encryption. Use D-H Group 1 to generate SA keys. This selection is compatible with the Cisco VPN 3000 Client.

• IKE-3DES-MD5-DH7 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 7 (ECC) to generate SA keys. This IKE proposal is intended for use with the movianVPN client; it can also be used with any peer that supports ECC groups for D-H.

• IKE-3DES-MD5-RSA = Use RSA signatures and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys.

• CiscoVPNClient3DES-MD5-DH5 = Use preshared keys (XAUTH) and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 5 to generate SA keys. This selection allows XAUTH user-based authentication.

• CiscoVPNClient-AES128-SHA = Use preshared keys (XAUTH) and SHA/HMAC-160 for authentication. Use AES-128 encryption. Use D-H Group 2 to generate SA keys. This selection allows XAUTH user-based authentication.

• IKE-AES128-SHA = Use preshared keys and SHA/HMAC-160 for authentication. Use AES-128 encryption. Use D-H Group 2 to generate SA keys.

Add or Apply / CancelTo add this Security Association to the list of configured SAs, click Add. Or to apply your changes to this Security Association, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If this SA is being used by an active filter rule or group, changes might affect tunnel traffic. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen. Any new SA appears at the bottom of the IPSec SAs list.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Security Associations | Delete

Configuration | Policy Management | Traffic Management | Security Associations | Delete

This screen asks you to confirm deletion of a Security Association that is assigned to a rule in a filter. Doing so deletes the SA from the VPN Concentrator active configuration, deletes the SA from all rules that use it, and removes those rules from filters.

Figure 14-12 Configuration | Policy Management | Traffic Management | Security Associations | Delete

Screen

Note The Manager deletes the SA as soon as you click Yes. If this SA is being used by an active filter, deletion might affect tunnel traffic.

Yes / NoTo delete this SA from all rules that use it, and delete it from the active configuration, click Yes. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen and shows the remaining SAs in the IPSec SAs list.

Reminder:


To not delete this SA, click No. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Filters

Configuration | Policy Management | Traffic Management | Filters

This section of the Manager lets you add, configure, modify, copy, and delete filters, and assign rules to filters.

Filters consist of rules. A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the Action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.

Configuring a filter involves two steps:

Step 1 Configure the basic filter parameters (name, default action, etc.) by clicking Add Filter, Modify Filter, or Copy Filter.

Step 2 Assign rules to a filter by clicking Assign Rules to Filter.

You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they govern all traffic through an interface. You also apply filters to groups and users under Configuration | User Management, and thus govern tunneled traffic through an interface.

Caution The Cisco-supplied default filters and rules are intended as templates that you should examine and configure to fit your network and security needs. If left in their default configuration or if incorrectly configured, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter, which allows only tunneled and ICMP traffic.

This screen allows you only to configure filters on the VPN Concentrator. You can also configure filters on an external RADIUS server for use on the VPN Concentrator. For more information on configuring external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.

Figure 14-13 Configuration | Policy Management | Traffic Management | Filters Screen


78-15731-01


Filter ListThe Filter List shows configured filters, listed in alphabetical order.

Cisco supplies default filters that you can use and modify; see Table 14-4.

Table 14-4 Cisco-Supplied Default Filters

Parameter Private (Default) Public (Default) External (Default)Firewall Filter for VPN Client (Default)

Description Default filter for the Private Interface

Default filter for the Public Interface

Default filter for the External Interface

Default filter for the VPN Client, when using Policy Pushed (CPP) firewall configuration

Default Action Drop Drop Drop Drop

Source Routing No No No N/A

Fragments Yes Yes Yes N/A

Current Rules in Filter Any In (forward/in)

Any Out (forward/out)

GRE In (forward/in)

IPSEC-ESP In (forward/in)

IKE In (forward/in)

PPTP In (forward/in)

L2TP In (forward/in)

ICMP In (forward/in)

VRRP In (forward/in)

GRE Out (forward/out)

IKE Out (forward/out)

PPTP Out (forward/out)

L2TP Out (forward/out)

ICMP Out (forward/out)

VRRP Out (forward/out)

-Empty- Any Out (forward/out)


78-15731-01


Add FilterTo configure and add a new filter, click Add Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Add screen. The Manager then automatically lets you assign rules to the filter.

Assign Rules to FilterTo assign or change rules in a configured filter, select the filter from the list and click Assign Rules to Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen, which lets you assign and order the rules that apply to this filter.

Modify FilterTo modify the basic parameters—but not the rules—for a filter that has been configured, click Modify Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Modify screen.

Copy FilterTo create a new filter by copying the basic parameters and rules from a filter that has been configured, click Copy Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Copy screen.

Delete FilterTo delete a configured filter, select the filter from the list and click Delete Filter. See the following notes. The Manager refreshes the screen and shows the remaining entries in the Filter List.

Note You cannot delete a filter that has been applied to an interface. If you try to do so, the Manager displays an error message.

Note You can delete a filter that has been applied to a group or user, and there is no confirmation or undo. Doing so might affect their use of the VPN.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy

Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy


• Add: Configure the basic parameters for a new filter and add it to the list.

• Modify: Modify the basic parameters for a configured filter.

• Copy: Create a new filter that is a copy of a configured filter, and configure its basic parameters. The copy also includes all the rules and SAs of the original filter except rules with an Apply IPSec action.

You configure the rules in a filter on the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.

Note On the Modify screen, any changes take effect as soon as you click Apply. If this filter is being used by an interface or group, changes might affect data traffic.

Figure 14-14 Configuration | Policy Management | Traffic Management | Filters |

Add, Modify, or Copy Screen


78-15731-01


Filter NameEnter a unique name for this filter. Maximum is 48 characters.

Default ActionClick the Default Action drop-down menu button and choose the action that this filter takes if a data packet does not match any of the rules on this filter. The choices are:

• Drop = Discard the packet (the default choice).

• Forward = Allow the packet to pass.

• Drop and Log = Discard the packet and log a filter debugging event (FILTERDBG event class). See Configuration | System | Events and see the following note.

• Forward and Log = Allow the packet to pass and log a filter debugging event (FILTERDBG event class). See the following note.

Note The Log actions are intended for use only while debugging filter activity. Since they generate and log an event for every matched packet, they consume significant system resources and might seriously degrade performance.

Source RoutingCheck the Source Routing check box to allow IP source routed packets to pass. A source routed packet specifies its own route through the network and does not rely on the system to control forwarding. This box is unchecked by default, because source-routed packets can present a security risk.

FragmentsCheck the Fragments check box to allow fragmented IP packets to pass. Large data packets might be fragmented on their journey through networks, and the destination system reassembles them. While you would normally allow fragmented packets to pass, you might disallow them if you suspect a security problem. This box is checked by default.

DescriptionEnter a description of this filter. This optional field is a convenience for you or other administrators; use it to describe the purpose or use of the filter. Maximum is 255 characters.


78-15731-01


Add or Apply / CancelAdd screen:

• To add this filter to the list of filters, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen, which lets you assign and order the rules that apply to this filter.

Modify screen:

• To apply your changes to this filter, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the modified filter appears in same location in the Filter List. Any changes take effect as soon as you click Apply. If this filter is being used by an active interface or group, changes might affect data traffic.

Copy screen:

• To apply your settings and add this filter to the list of filters, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the new filter appears in the Filter List. To assign or change rules on the filter, select the filter from the list and click Assign Rules to Filter.

To discard your changes, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the Filter List is unchanged.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Assign Rules to Filter

Configuration | Policy Management | Traffic Management | Assign Rules to Filter

This section of the Manager lets you add, remove, and prioritize the rules in a filter, and assign Security Associations to rules that are configured with an Apply IPSec action.

A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a rule matches, the system takes the Action specified in the rule. If not, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.

The Manager groups applied rules by direction (inbound or outbound), with inbound rules first. You can prioritize rules only within a direction.

You configure rules on the Configuration | Policy Management | Traffic Management | Rules screens.

Note Rules affect the operation of the filter as soon as you add, remove, or prioritize them. If the filter is being used by an active interface or group, changes might affect data traffic.

Note Be careful about adding or changing rules on the Public (Default) filter. You could compromise security.

Figure 14-15 Configuration | Policy Management | Traffic Management | Assign Rules to Filter Screen


78-15731-01


Filter NameThe name of the filter for which you are configuring the rules. You cannot change this name here. (See Configuration | Policy Management | Traffic Management | Filters | Modify.)

Current Rules in FilterThis list shows the rules currently assigned to the filter. Use the scroll controls (if present) to see all the rules in the list. If no rules have been assigned, the list shows --Empty--. Each entry shows the rule name and the action/direction in parentheses; Apply IPSec rules include their Security Association.

Available RulesThis list shows all the rules currently configured on the system (all the rules in the active configuration) that have not been assigned to this filter. Use the scroll controls (if present) to see all the rules in the list. Each entry shows the rule name and the action/direction in parentheses. (Since Security Associations are added to Apply IPSec rules only when those rules are assigned to a filter, this list does not show SAs.)

<< AddTo add a rule to the filter, select the rule from the Available Rules list and click << Add. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and by default orders the current rules with all inbound rules preceding all outbound rules.

If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a Security Association to the rule. The Manager also, by default, adds Apply IPSec rules to the top of the group of rules with the same direction (inbound or outbound).

<< Insert AboveTo add an available rule above a current rule, select the rule from the Available Rules list, then select a target rule in the Current Rules in Filter list, and click Insert Above. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and orders the new rule above the current rule. Both selected rules must have the same direction (inbound or outbound).

If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a Security Association to the rule.

>> RemoveTo remove a rule from the filter, select the rule from the Current Rules in Filter list and click >> Remove. The Manager moves the rule to the Available Rules list, modifies the active configuration, refreshes the screen, and shows the remaining current rules in the filter.

You cannot remove a rule that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.


78-15731-01


Move Up / Move DownTo change the order in which a rule is applied within the filter, select the rule from the Current Rules in Filter list and click Move Up or Move Down. The Manager reorders the current rules, modifies the active configuration, refreshes the screen, and shows the reordered list. If you try to move a rule out of its direction group (inbound or outbound), the Manager displays an error message.

Assign SA to RuleTo modify the Security Association applied to a current rule that has an Apply IPSec action configured, select the rule from the Current Rules in Filter list and click Assign SA to Rule. The Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule screen.

DoneWhen you are finished configuring the rules in this filter, click Done. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen and refreshes the Filter List.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule

This screen lets you add a configured Security Association to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.

You configure Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.

Figure 14-16 Configuration | Policy Management | Traffic Management | Assign Rules to Filter |

Add SA to Rule Screen

Add SA to Rule on Filter:The Manager shows the name of filter to which you are adding a rule that has an Apply IPSec action configured. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule

IPSec SAsThe IPSec SAs list shows the configured SAs that are available, that is, all the SAs in the active configuration.

ApplyTo add an SA to the rule, select the SA from the list and click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its SA.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule

This screen lets you change the configured Security Association that is applied to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.

On this screen, you change which SA is applied. You configure SAs themselves on the Configuration | Policy Management | Traffic Management | Security Associations screens.

Note The change takes effect as soon as you click Apply. If this filter is being used by an interface or group, the change might affect tunnel traffic.

Figure 14-17 Configuration | Policy Management | Traffic Management | Assign Rules to Filter |

Change SA on Rule Screen

Change SA on Rule in FilterThe Manager shows the name of the filter to which the IPSec rule is assigned. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify.

IPSec SAsThe IPSec SAs list shows the configured SAs that are available (all the SAs in the active configuration). By default, the SA that is currently applied to the rule is selected.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule

Apply / CancelTo apply a different SA to this rule, select the SA from the list and click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its new SA. The change takes effect as soon as you click Apply. If this filter is being used by an active interface or group, the change might affect tunnel traffic.

Reminder:


To discard the change and keep the current SA on the rule, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, and the Current Rules in Filter list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT

Configuration | Policy Management | Traffic Management | NATThis section of the Manager lets you configure and enable NAT (Network Address Translation). NAT translates private network addresses into an IANA-assigned public network address, and vice versa, and thus allows traffic routing between the networks.

A NAT session is a translation instance. When a packet passing through the VPN Concentrator matches a NAT rule and is translated, a NAT session begins. The NAT session records details of the translation, including the source IP address and port, the destination IP address and port, and the translated, or mapped, address and port.

A NAT rule defines the criteria that a packet must meet to be translated. For interface NAT rules, criteria include the protocol: portless, UDP, or TCP. For LAN-to-LAN connections, the criteria are the source, translated and destination IP addresses.

To use NAT, we recommend that you first configure NAT rules, then enable the function.

You can change NAT rules while NAT is enabled. Doing so affects subsequent sessions, but not current sessions, as long as the changed rule still allows the current session; if it doesn’t traffic will stop.

For inbound packets, the destination address and port are mapped. For outbound traffic, the source address and port are mapped.

As packets pass through the VPN Concentrator, NAT sessions are searched for a match prior to applying NAT rules. If a match exists, the packet is translated in the same way as the packet that caused the session to initiate, and the session continues, allowing the VPN Concentrator to maintain address and port continuity within a session. NAT sessions expire and are deleted if they are unused for a certain time period, which varies depending on the protocol. Therefore, unless the NAT rule is a static rule, NAT sessions between the same clients may have different translated addresses for different NAT sessions.

For a detailed explanation of NAT and PAT, see http://www.cisco.com/warp/public/556/nat-cisco.shtml.

Figure 14-18 Configuration | Policy Management | Traffic Management | NAT Screen


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | Enable

Configuration | Policy Management | Traffic Management | NAT | Enable

This screen lets you enable NAT operation for Interfaces, which applies NAT to all non-tunneled traffic flowing through the public interface, and for LAN-to-LAN tunnels. We recommend that you configure NAT rules before you enable the function.

Figure 14-19 Configuration | Policy Management | Traffic Management | NAT | Enable Screen

Interface NAT Rules EnabledCheck the Interface NAT Rules Enabled check box to enable NAT rules for interfaces, or uncheck it to disable these NAT rules. By default, the box is unchecked.

LAN-to-LAN Tunnel NAT Rule EnabledCheck the LAN-to-LAN Tunnel NAT Rule Enabled check box to enable NAT rules for LAN-to-LAN connections, or uncheck it to disable these NAT rules. By default, the box is unchecked.

Apply / CancelTo enable or disable NAT rules, and include your setting in the active configuration, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.

Reminder:


To discard your entry and leave the active configuration unchanged, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | Interface Rules

Configuration | Policy Management | Traffic Management | NAT | Interface Rules

This section of the Manager lets you add, configure, modify, and delete Interface NAT rules. We recommend that you first configure and add rules, then enable the function. To configure Interface NAT rules, you must first configure a VPN Concentrator public interface; see Configuration | Interfaces.

You need at least one rule for each private network that the VPN Concentrator connects to, and that uses NAT.

Figure 14-20 Configuration | Policy Management | Traffic Management | NAT | Interface Rules Screen

Interface NAT RulesThe Interface NAT Rules list shows NAT rules that have been configured. If no rules have been configured, the list shows --Empty--. The format of each rule is: Private Address/Subnet-Mask-on Interface (Action); for example, 10.0.0.0/8 on Ethernet 2 (Public) (TCP).


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | Interface Rules

Add / Modify / DeleteTo configure and add a new Interface NAT rule to the list of configured rules, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add screen. If you have not configured a public interface, the Manager displays the Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces screen.

To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Modify screen.

To delete a configured NAT rule, select the rule from the NAT Rules list and click Delete.


The Manager refreshes the screen and shows the remaining rules in the list.

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces

Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces

The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add a NAT rule. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.

You should designate only one VPN Concentrator interface as a public interface.

Figure 14-21 Configuration | Policy Management | Traffic Management | NAT | Rules |

No Public Interfaces Screen

Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify

Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify


• Add: Configure and add new Interface NAT rules.

• Modify: Modify a previously configured Interface NAT rule.

You must configure a public interface on the VPN Concentrator before you can add an Interface NAT rule. See the Configuration | Interfaces screens.

Figure 14-22 Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or

Modify Screen

InterfaceAdd screen:

• Click the drop-down menu button and select the configured public interface for this Interface NAT rule. The list shows all interfaces that have the Public Interface parameter enabled. See Configuration | Interfaces.

Modify screen:

• The screen shows the configured public interface for this Interface NAT rule. You cannot change the interface. To move the rule to another interface, you must delete this rule and add a new one for the other interface.

Private AddressSpecify the private network (subnet) addresses that NAT translates to and from the public address.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify

IP Address

Enter the private IP address in dotted decimal notation, for example: 10.0.0.1.

Subnet Mask

Enter the subnet mask appropriate for the private IP address range. Use dotted decimal notation; the default is 255.255.255.255. For example, to translate all private addresses in class A network 10, enter 255.0.0.0.

In the NAT Rules list, the subnet mask is shown as the number of ones; for example, 255.255.0.0 is shown as /16.

ActionCheck the box(es) to choose the translation action(s) for this NAT rule:

• Map Portless Protocols = Translate addresses for packets with protocols that do not use ports and thus do not involve port mapping (default). For example, this action supports ping, which uses ICMP.

• Map UDP = Map ports within outbound UDP packets to dynamic ports (49152 to 65535) on the public IP address, and vice versa.

• Map TCP = Map ports within outbound TCP packets to dynamic ports (49152 to 65535) on the public IP address, and vice versa.

• FTP Proxy = Provide FTP proxy server functions and map outbound ports to dynamic ports (49152 to 65535) on the public IP address. FTP requires specialized NAT behavior; this action allows outgoing FTP transactions to function properly.

Add or Apply / CancelTo add this rule to the list of configured Interface NAT rules, click Add. Or to apply your changes to this Interface NAT rule, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Interface Rules screen. Any new rule appears at the bottom of the Interface NAT Rules list.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Rules screen, and the Interface NAT Rules list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules

Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules

This section of the Manager lets you add, configure, modify, and delete LAN-to-LAN NAT rules that apply only to traffic that passes over LAN-to-LAN tunnels. We recommend that you first configure and add rules, then enable the function.

About LAN-to-LAN NATPrivate networks often use the same private address spaces. For connecting VPN networks, this duplication of IP addresses can prevent communication, because traffic from one private network to another using the same address space is perceived as local, and therefore does not travel to the second network. You can use NAT to solve this problem, translating private network addresses to legitimate public network addresses as packets enter the tunnel, rather than assigning new IP addresses to the networks.

Mapping rules that you configure determine how LAN-to-LAN NAT translates network addresses. There are three types of mapping rules:

• Static LAN-to-LAN NAT rules map source IP addresses to Translated IP addresses on a one-to-one basis. Static rules apply both to

– inbound traffic, which is traffic received over a LAN-to-LAN tunnel.

– outbound traffic, which is traffic bound for a LAN-to-LAN tunnel.

Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.

• Dynamic LAN-to-LAN NAT rules map source IP addresses to one of a pool of available translated IP addresses, or to a single address. Dynamic mappings apply only to outbound traffic.

• PAT LAN-to-LAN NAT rules are dynamic rules with Port Address Translation. PAT rules apply to outbound traffic only

Figure 14-23 is an example of a network topology that has complete overlap in the address spaces for the networks behind VPN Concentrators A and B.

Figure 14-23 LAN-to-LAN NAT Example

VPN Concentrator A VPN Concentrator B

Public network

10.10.10.0network

10.10.10.0network

10.10.10.1 10.10.10.1

7931

8


78-15731-01


The LAN-to-LAN NAT mapping rules for these VPN Concentrators are as follows:

The VPN Concentrators are configured as follows:

• A LAN-to-LAN tunnel connects networks 20.20.20.0/24 and 30.30.30.0/24.

• Concentrator A is configured to route traffic destined for 30.30.30.0 through the LAN-to-LAN tunnel.

• Concentrator B is configured to route traffic destined for 20.20.20.0 through the LAN-to-LAN tunnel.

A client with the IP address of 10.10.10.2 on network A sends a message to a server on network B with an IP address of 10.10.10.4. The clients on Network A already know the static address translation of the servers on Network B. Table Table 14-5 describes the message flow and the NAT translations that occur.

Table 14-5 LAN-to-LAN NAT Message Flow for LAN-to-LAN Tunnel Networks 20.20.20.0/24 and 30.30.30.0/24.

VPN Concentrator Rule and Type MappingsVPN Concentrator A A - Dynamic/PAT 10.10.10.0/24 -> 20.20.20.9

VPN Concentrator B B - Static NAT 10.10.10.0/24 -> 30.30.30.0/24

Concentrator A Concentrator B

Private network 10.10.10.0

After outbound NAT translation

After inbound NAT translation

tunnel direction

After inbound NAT translation

After outbound NAT translation

Private network 10.10.10.0

Host with source IP address of 10.10.10.2 sends a message to server on network B with destination IP address of 30.30.30.4

Source IP address translates to 20.20.20.9, using Rule A to create Session A1.

Destination IP address is 30.30.30.4.

->

->

Source IP address is 20.20.20.9.

Destination IP address 30.30.30.4 translates to 10.10.10.4, using Rule B to create Session B1.

Server with destination IP address 10.10.10.4 receives packet from host with source IP address of 20.20.20.9.

| |vv

Source IP address is 30.30.30.4.

Destination IP address translates to 10.10.10.2, with Concentrator A using mapping information from Session A1.

<-

<-

Source IP address translates to 30.30.30.4, with Concentrator B using mapping information from Session B1.

Destination IP address is 20.20.20.9.

Server with source IP address of 10.10.10.4 replies to host with destination IP address of 20.20.20.9.


78-15731-01


You configure LAN-to-LAN NAT rules in the Configuration | Policy Management | NAT | LAN-to-LAN Rules screen.

Figure 14-24 Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules Screen

LAN-to-LAN NAT RulesThe LAN-to-LAN NAT Rules list show rules that have been configured. The format is[Source : Translated] -> Remote (Type). If no LAN-to-LAN NAT rules have been configured, the list shows --Empty--.

Source

This is the host IP address and wildcard mask on the private network.

Translated

This is the translated IP address and wildcard mask for the local address of this LAN-to-LAN connection. This is also the translated address space.

Remote

This is the destination IP address and wildcard mask for this LAN-to-LAN connection. The rule is applied only to packets bound for this address space. The address space must be part of the destination address space of a LAN-to-LAN connection.


78-15731-01


Type

This identifies the type of LAN-to-LAN NAT Rule:


– inbound traffic, which is traffic received over a public interface.

– outbound traffic, which is traffic bound for a public interface.



• PAT LAN-to-LAN NAT rules are dynamic rules with Port Address Translation. PAT rules apply to outbound traffic only.

Add / Modify / DeleteTo configure and add a new LAN-to-LAN NAT rule, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add screen.

To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Modify screen.

To delete a configured NAT rule, select the rule from the LAN-to-LAN NAT Rules list and click Delete.


The Manager refreshes the screen and shows the remaining rules in the list.

Move Up / Move DownYou can use the Move Up and Move Down buttons to sort LAN-to-LAN NAT rules in priority order, except

• Static rules have priority over dynamic rules.

• You cannot prioritize static rules. The VPN Concentrator gives static rules for smaller networks a higher priority than those for larger networks. Therefore, the priority order of static rules is:

– Host-to-host

– Class C

– Class B

– Class A

Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify

Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify

This screen lets you add or modify NAT LAN-to-LAN rules.

Figure 14-25 Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add

or Modify Screens

NAT Type

This identifies the type of LAN-to-LAN NAT Rule:


– inbound traffic, which is traffic received over a public interface.

– outbound traffic, which is traffic bound for a public interface.



• PAT LAN-to-LAN NAT rules are Edenic rules with Port Address Translation. PAT rules apply to outbound traffic only.


78-15731-01


Guideline for Defining NAT Rules and Types

Understand this caveat as you define NAT rules for LAN-to-LAN connections:

If you expect inbound traffic, you need to define a static LAN-to-LAN NAT rule. This is because with any other type of NAT rule, the translated address is impossible to predict, leaving the sender no way of identifying the IP address to which it should send packets.

Source Network

This is the network IP address and wildcard mask the rule translates.

Translated Network

This is the translated IP address and wildcard mask for the local network of this LAN-to-LAN connection.

Remote Network

This is the destination IP network and wildcard mask for this LAN-to-LAN connection.

Note If you have a network with any remote access clients, you must specifically define the remote network, and not accept the default values of 0.0.0.0/255.255.255.255. If you were to accept these default values, and the source network and wildcard mask of the rule overlaps or is the same as the network addresses assigned to remote access clients, the VPN Concentrator attempts to NAT traffic intended for the remote access clients for the LAN-to-LAN connection instead, and that traffic never reaches the remote access clients. The only exception to this is for remote access clients that get their IP addresses from a third network, in which case you can use default values for this parameter.

IP Address

Enter the source IP address in dotted decimal notation. Default is 0.0.0.0.


78-15731-01


Wildcard Mask

Enter the wildcard mask in dotted decimal notation. Default is 255.255.255.255.

Note A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:0.0.0.0/255.255.255.255 = any address10.10.1.35/0.0.0.0 = only 10.10.1.3510.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses


Reminder:



78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Bandwidth Policies

Configuration | Policy Management | Traffic Management | Bandwidth Policies

This section of the Manager lets you configure bandwidth management policies. You can configure a bandwidth policy to do one or all of the following:

• Reserve a minimum amount of bandwidth per session

• Limit users within groups to a maximum amount of bandwidth

Once you configure bandwidth policies, you can apply them either to an interface, or a group, or both. If you apply a policy to an interface only, it applies to each user on the interface. If you apply a policy to a group, it applies only to the users in that group. If you apply one policy to an interface and a different policy to a group, users who are members of that group use the group policy, and all other users use the interface policy.

Figure 14-26 Configuration | Policy Management | Traffic Management | Bandwidth Policies Screen

Add / Modify / DeleteTo create a new bandwidth policy, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add screen.

To modify a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Modify screen

To delete a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Delete.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Traffic Management | Add or Modify

Configuration | Policy Management | Traffic Management | Add or Modify

This screen lets you:

Add: Configure and add a bandwidth policy

Modify: Modify a previously configured bandwidth policy

Overview of Bandwidth ManagementThere are two aspects of bandwidth management: bandwidth policing and bandwidth reservation. Bandwidth policing limits the maximum rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate. Bandwidth reservation sets aside a minimum bandwidth rate for tunneled traffic. Using bandwidth management, you can allocate bandwidth to groups and users equitably, thus preventing certain groups or users from consuming a majority of the bandwidth.

Bandwidth management applies only to tunneled traffic (L2TP, PPTP, IPSec) and is most commonly applied to the public interface.

Tip If you receive an error message when you're configuring any bandwidth management feature, check the event log. The event log gives very specific feedback for bandwidth management errors.

Bandwidth Reservation

Bandwidth reservation sets aside a minimum limit of bandwidth per tunnel for tunneled traffic. Each user receives at least a set amount of bandwidth. When there is little traffic on the box, users receive more than their allocated minimum of bandwidth. When the box becomes busy, they receive at least that much. When the combined total of the reserved bandwidth amounts of all active tunnels on an interface approaches the limit of the total bandwidth available on that interface, the VPN Concentrator refuses further connections to users who demand more reserved bandwidth than is available.

You can configure bandwidth reservation on just an interface (usually the public). In this case, every user who connects on the public interface receives the same reserved minimum bandwidth. If, in addition, you configure reserved bandwidth on a particular group, users in that group can claim an amount of reserved bandwidth that differs from that of the other users on the interface. You cannot configure reserved bandwidth on a specific group unless you have first configured reserved bandwidth on the interface.


78-15731-01


Example One: A Bandwidth Reservation Policy Applied to an Interface

Suppose the link rate on your public interface is 1,544 kbps. And suppose you apply a reserved bandwidth policy to that interface that sets the reserved bandwidth to the default: 56 kbps per user. With this link rate and policy setting, only a total of 27 users can connect to the VPN Concentrator at one time. (1544 kbps per interface divided by 56 kbps per user equals 27 connections.)

• The first user who logs on to the VPN Concentrator gets his reserved 56 kbps plus the remainder of the bandwidth (1488 kbps).

• The second user who logs on to the VPN Concentrator gets his reserved 56 kbps plus he shares the remainder of the bandwidth (1432 kbps) with the first user.

• When the twenty-seventh user connects, all users are throttled to their minimum of 56 kbps per connection.

• When the twenty-eighth user attempts to connect, the VPN Concentrator refuses the connection. It does not allow any additional connections because it cannot supply the minimum 56 kbps reserve to more users.

Example Two: Bandwidth Reservation Policies Applied to an Interface and a Group

Add bandwidth reservation on a particular group to the above example. The group “Executives” reserves 112 kbps of the public interface bandwidth for any member of the group.

• The first user who logs on to the VPN Concentrator is not in the Executive group. He gets his reserved 56 kbps plus the remainder of the bandwidth (1488 kbps).

• Then, the president logs in. She gets her 112 kbps plus she shares the remainder of the bandwidth (1376 kbps) with the first user.

• As more executives and non-executives connect, they each receive the specified amount of bandwidth (112 kbps or 56 kbps) plus they share the bandwidth that remains. The VPN Concentrator allows users to connect until it can no longer provide the minimum reserve (56 kbps for a non-executive, 112 kbps for an executive).

Keep in mind that there may be many groups using the VPN Concentrator, each with different bandwidth policies.


From Example Two, you can see that configuring bandwidth reservation alone can lead to a scenario in which high priority, high bandwidth users are unable to connect to a congested VPN Concentrator because of their bandwidth requirements. For this case, the VPN Concentrator provides a feature called bandwidth aggregation. Bandwidth aggregation allows a particular group to reserve a fixed portion of the total bandwidth on the interface. (This fixed portion is known as an aggregation.) Then, as users from that group connect, each receives a part of the total bandwidth allocated for the group. Users who are not in that group cannot share this reserved portion, even if no one else is using it. When one group makes a reserved bandwidth aggregation, it does not affect the bandwidth allocated to users who are not in that group; however, those other users are now sharing a smaller amount of total bandwidth. Fewer of them can connect.

Suppose the company president in Example Three wants two top executives to be able to access the VPN Concentrator at any time. In this case, you can configure a bandwidth aggregation of x/2 (or half the bandwidth) for the group “Top Executives.” Half the bandwidth of the interface would then be set aside for the use of this group. This means however, that all the other users on the interface compete for the remaining half of the bandwidth.


78-15731-01


LAN-to-LANs and Bandwidth Reservation

Configure bandwidth reservation for a LAN-to-LAN connection as you would for a group with one user. In this way, you reserve a set amount of bandwidth for the connection. (The users on the LAN-to-LAN connection are not managed, only the connection.) When you apply a bandwidth reservation policy to a LAN-to-LAN connection, the VPN Concentrator automatically adds bandwidth aggregation.

Bandwidth PolicingBandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate.

Because traffic is bursty, some flexibility is built into policing. Policing involves two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The VPN Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the burst rate. But should traffic bursts consistently exceed the burst rate, the VPN Concentrator enforces the policing rate threshold.

Configuring Bandwidth ManagementTo configure bandwidth management, follow these steps:

Step 1 Using this section of the Manager: define one or more bandwidth management policies.

Step 2 On the Configuration | Interfaces | Ethernet 2 screen, Bandwidth Parameters Tab:

a. Enable bandwidth management on the public (or any other) interface.

b. Specify the link rate.

c. Assign a bandwidth policy to the interface to assign a default policy for all users on that interface. If you are further planning to assign a bandwidth reservation policy to a specific group, this default policy must include bandwidth reservation.

Step 3 If you also want to manage bandwidth for a specific group, use the Configuration | User Management | Groups | Bandwidth Policy screen to apply a bandwidth policy to that group.

Step 4 To manage bandwidth for a specific LAN-to-LAN connection, use the Bandwidth Policy parameters on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen to apply a bandwidth policy to that connection.

Note the following dependencies when assigning bandwidth management policies to an interface and a group combined:

• If you apply only a policing policy (i.e. no reservation policy) to an interface, you cannot subsequently assign bandwidth reservation policies to groups using that interface. To apply a bandwidth reservation policy to a group, you must first apply a bandwidth reservation policy to the interface.

• If you apply a reservation policy to an interface, all other policies applied to groups on that interface also include bandwidth reservation.

Use Table 14-6 as a guide to these dependencies when you configure this feature.


78-15731-01


Table 14-6 Conceptual Overview of Bandwidth Management Configuration

If you want to... Configure the following...

Enable Bandwidth Management on the Public Interface

Use this Type of Bandwidth Management Policy...

Apply the Bandwidth Management Policy to:

Bandwidth Policing

Bandwidth Reservation


Let users and tunnels consume bandwidth as needed on a first-come first-served basis.

- - - - -

Reserve every user on the interface a default minimum amount of the bandwidth of the interface.

Yes - Yes - Interface

Reserve every user in a particular group an equal minimum amount of the bandwidth of the interface. (Users not in the group use the bandwidth reservation assigned to the interface.)

Yes - Yes - Interface and group

Set aside a fixed amount of bandwidth for the exclusive use of members of a specific group. (Users not in this group cannot access this bandwidth, even if it is unused.)

Yes - Yes Yes Apply bandwidth reservation to the interface and apply bandwidth aggregation to the group.

Reserve a set amount of bandwidth for the exclusive use of a LAN-to-LAN tunnel. Ensure that bandwidth is always available for the LAN-to-LAN tunnel. (In other words, ensure that the LAN-to-LAN tunnel can always connect, even if the VPN Concentrator is congested.)

Yes - Yes Yes (Done automatically)

Interface and LAN-to-LAN

Limit all users on the interface to a set bandwidth threshold.

Yes Yes - - Interface

Limit all users in a particular group to a set bandwidth threshold.

Yes Yes - - Apply either bandwidth reservation or policing to the Interface.

Apply policing to the group


78-15731-01


Once you know which bandwidth management features you want to apply to which level (interface, group, or LAN-to-LAN), follow the steps in Table 14-7 to configure them.

Table 14-7 Bandwidth Management Configuration Guide

Task Use this Screen... Do this...

Create a Bandwidth Management Policy

Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add

Name the policy, then apply reservation and/or policing and set the corresponding parameters.

Enable Bandwidth Management on the Public Interface

Configuration | Interfaces | Ethernet 2, Bandwidth tab

Check the Bandwidth Management check box.

Set the link rate.

Apply a bandwidth management policy.

Use Bandwidth Policing

Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify

Create a policing policy: Check the Policing check box and enter the policing rate and burst size.

Use Bandwidth Reservation

Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify

Create a reservation policy: Check the Bandwidth Reservation check box and enter the minimum bandwidth.

Use Bandwidth AggregationConfiguration | User Management | Groups | Bandwidth Policy | Interfaces

Set Aggregate Bandwidth to a value greater than zero.

Assign Bandwidth Policy(ies) to:

• Interface Configuration | Interfaces | Ethernet 2, Bandwidth tab

Choose a policy from the Bandwidth Policy drop-down menu.

• Group Configuration | User Management | Groups | Bandwidth Policy | Interfaces

Choose a policy from the Policy drop-down menu.

• LAN-to-LAN Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify

Choose a policy from the Bandwidth Policy drop-down menu.


78-15731-01


Figure 14-27 Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or

Modify screen

When configuring a bandwidth policy, you must enable (check) either Bandwidth Reservation or Policing. You can enable both policies.

Policy NameEnter a unique policy name that can help you remember the policy. The maximum length is 32 characters.

Bandwidth ReservationTo reserve a minimum amount of bandwidth for each session, check the Bandwidth Reservation check box.

Minimum Bandwidth

The minimum bandwidth is the amount of bandwidth reserved per user during periods of congestion. Enter a value for the minimum bandwidth and select one of the following units of measurement. The range is between 8000 bps and 100 Mbps. The default is 56000 (bps)




PolicingTo enable policing, check the Policing check box.


78-15731-01


Policing Rate

Enter a value for Policing Rate and select the unit of measurement. The VPN Concentrator transmits traffic that is moving below the policing rate and drops all traffic that is moving above the policing rate. The range is between 56000 bps and 100 Mbps. The default is 56000 (bps)




Normal Burst Size

The VPN Concentrator drops traffic that are above the normal burst size. The normal burst size is the amount of instantaneous burst that the VPN Concentrator can send at any give time.

To set the burst size, use the following formula: (Policing Rate/8) * 1.5. For example, to limit users to 250 kbps of bandwidth, set the police rate to 250 kbps and set the burst size to 46875, that is: (250000 bps/8) * 1.5.

Enter the Normal Burst Size and select the unit of measurement. The default is 10500 bytes. The minimum is 10500 bytes.

• bytes

• Kbytes—one thousand bytes

• Mbytes—one million bytes

Add/Cancel

To add this policy to the configuration, click Add. To cancel the action, click Cancel.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Bandwidth Policies screen, and the Bandwidth Policies list is unchanged.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Certificate Group Matching

Configuration | Policy Management | Certificate Group Matching

This section of the Manager allows you to define rules to match a user’s certificate to a permission group based on fields in the distinguished name (DN). In releases previous to 3.6, the VPN Concentrator used the OU field from a user’s certificate to assign that user to a permission group. For example, if the OU field of a user’s certificate were “Sales,” the VPN Concentrator assigned that user to the “Sales” permission group. The certificate group matching feature allows you identify members of a permission group on the basis of other criteria: you can use other fields of the certificate or you can have all certificate users share a permission group.

To match users’ permission groups based on other fields of the certificate, you must define rules that specify which fields to match for a group and then enable each rule for that selected group. Rules cannot be longer than 255 characters. A group must already exist in the configuration before you can create a rule for it.

You can assign multiple rules to the same group. When multiple rules are assigned to the same group, a match results for the first rule that tests true.

To match users’ permission groups based on multiple fields in the certificate so that all the criteria must match for the user to be assigned to a permission group, create a single rule with multiple matching criteria. To match users’ permission groups based on one criterion or another so that successfully matching any of the criteria identifies the member of the group, create multiple rules.

For example, to assign particular permissions to members of the Sales group who are in the division “VPNDIV” and who are located in San Jose, create a single rule and assign it to the group “Sales:”

sales <-- ou=“vpndiv”,l=”san jose”

To assign particular permissions to members the Sales group who are either in the VPN division or located in San Jose, create two rules and apply both to the group “Sales:”

sales <-- ou=”vpndiv”sales <-- l=”san jose”

Once you have defined rules, you must configure a certificate group matching policy to define the method you want to use to identify the permission groups of certificate users: match the group from the rules, match the group from the OU field, or use a default group for all certificate users. You can use any or all of these methods.

Figure 14-28 Configuration | Policy Management | Certificate Group Matching Screen


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Certificate Group Matching

RulesClick the Rules link to create certificate group matching rules.

Matching PolicyClick the Matching Policy link to choose a method to identify the permission groups of certificate users.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Certificate Group Matching | Rules

Configuration | Policy Management | Certificate Group Matching | Rules

This screen lets you:

• Add: Configure and add a new rule for certificate group matching.

• Modify: Modify a previously configured certificate group matching rule.

• Delete: Remove a rule from the configuration.

• Move Up: Change the order of the rule so that it is checked earlier.

• Move Down: Change the order of the rule so that it is checked later.

Figure 14-29 Configuration | Policy Management | Certificate Group Matching | Rules Screen

Add/Modify RuleTo configure and add a new rule, click Add on the Configuration | Policy Management | Certificate Group Matching | Rules screen.

To modify an existing rule, select a rule in the Certificate Matching Rules box and click Modify. When you select a rule, the complete text appears in the box below the Certificate Matching Rules box.

DeleteTo delete a configured rule, select the rule from the list in the Certificate Matching Rules box and click Delete. The Manager refreshes the screen and shows the remaining rules in the list.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Certificate Group Matching | Rules

Move UpTo have the VPN Concentrator check the rule earlier in the order, select the rule and click Move Up.

Move DownTo have the VPN Concentrator check the rule later in the order, select the rule and click Move Down.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Certificate Group Matching | Rules | Add or Modify

Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify


• Add: Configure and add a new certificate group matching rule.

• Modify: Modify a previously configured certificate matching rule.

Figure 14-30 Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify

Screen

Enable

To allow the VPN Concentrator to use the rule you are adding or modifying, click Enable. To disable the rule, clear the Enable field. If the rule is disabled, it is marked with (D) in the Certificate Matching Rules box.

Group

Select the group to assign this rule to from the pull-down menu. You can assign this rule only to groups that are currently defined in the configuration. If the group you want to use is not in the list, you must first go to Configuration | User Management | Groups and define the group.

Distinguished Name Component

Select the type of distinguished name (Subject or Issuer) and the fields you want to use in the rule.


78-15731-01


A distinguished name can contain a selection from the following fields:

Field Content

Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology.

Subject The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same.

Issuer The CA or other entity (jurisdiction) that issued the certificate.

Field Content

Common Name (CN) The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

Surname (SN) The family name or last name of the certificate owner.

Country (C) The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Locality (L) The city or town where the organization is located.

State/Province (S/P) The state or province where the organization is located.

Organization (O) The name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

The subgroup within the organization.

Title (T) The title of the certificate owner, such as Dr.

Name (N) The name of the certificate owner.

Given Name (GN) The first name of the certificate owner.

Initials (I) The first letters of each part of the certificate owner’s name.

E-mail Address (EA) The e-mail address of the person, system or entity that owns the certificate

Generational Qualifier (GENQ)

A generational qualifier such as Jr, Sr, or III.

DN Qualifier (DNQ) A specific DN attribute.

Serial Number (SER) The serial number of the certificate.


78-15731-01


Operator

Value

The value to be matched against. The VPN Concentrator automatically places text values within double quotes. To enter values manually, follow the rules on the screen. Values are not case-sensitive.

Append

To enter the next part of a rule, click Append. When you click Append, the VPN Concentrator adds on the part you have defined to the rule that appears under Matching Criteria. In this way, you can build a complex rule testing on multiple components. The VPN Concentrator checks the information in the certificate against all parts of the rule. All parts must test true for the rule to match for this group.

Matching Criterion

The matching criterion text box displays the rule. You can create or edit the rule directly in this box. If you create a rule in this way, separate the components with commas. Also, be sure to add double quotes around the value. If the value itself contains double quotes, replace them with two double quotes. For example, enter the value “Tech” Eng as: “““Tech”” Eng”.

Add/Cancel

After entering all parts of the rule for this group, click Add to complete the action or Cancel to cancel it.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Rules screen, and the Rules list is unchanged.

Field Content

Equals (=) The distinguished name field must exactly match the value.

Not Equals (!=) The distinguished name field must not match the value.

Contains (*) The distinguished name field must contain the value within it.

Does Not Contain (!*) The distinguished name field must not contain the value within it.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Certificate Group Matching | Policy

Configuration | Policy Management | Certificate Group Matching | Policy

This screen lets you configure a policy for certificate group matching. The VPN Concentrator processes the enabled policies in the order listed until it finds a match.

There are three ways to match a certificate to a group:

• Match Group from Rules: Uses the rules you have defined to match a certificate to a group.

• Obtain Group from OU: Uses the organizational unit field to determine the group to which to match the certificate. (This was the standard policy in releases previous to 3.6.)

• Default to Group: Lets you select a default group for certificate users that is used when neither of the above methods resulted in a match.

By default, the first choice is not checked and the second and third choices are checked.

Figure 14-31 Configuration | Policy Management | Certificate Group Matching | Policy Screen

Match Group from Rules

To use the rules you have defined for certificate group matching, click to select Match Group from Rules.

Obtain Group from OU

To use the organizational unit in the certificate to specify the group to match, click to select Obtain Group from OU. This choice is enabled by default.

Default to Group

To use a default group or the Base Group for certificate users, click to select Default to Group. Then select the group from the drop down box. The group must already exist in the configuration. If the group does not appear in the list, you must define it by using the Configuration | User Management | Groups screen. This choice is enabled for the Base Group by default.


78-15731-01

Chapter 14 Policy ManagementConfiguration | Policy Management | Certificate Group Matching | Policy

Apply/Cancel

After checking the policies you want to use for certificate group matching, click Apply. Or to cancel, click Cancel.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Policy screen, and the Policy list is unchanged.


78-15731-01

C


H A P T E R 15
Tunneling and Security
Tunneling protocols are the heart of virtual private networking. The tunnels make it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network.

The secure connection is called a tunnel. The VPN 3000 Concentrator Series uses tunneling protocols to:

• Negotiate tunnel parameters

• Establish tunnels

• Authenticate users and data

• Manage security keys

• Encrypt and decrypt data.

• Manage data transfer across the tunnel

• Manage data transfer inbound and outbound as a tunnel endpoint or router

The VPN Concentrator functions as a bidirectional tunnel endpoint: it can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination; or it can receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.

The VPN Concentrator supports the most popular VPN tunneling protocols:

• PPTP: Point-to-Point Tunneling Protocol

• L2TP: Layer 2 Tunneling Protocol

• IPSec: IP Security Protocol

• WebVPN: SSL VPN, which provides VPN services to remote users via an HTTPS-enabled Web browser, and does not require a client

It also supports L2TP over IPSec, which provides interoperability with the VPN Client provided by Microsoft. The VPN Concentrator is also interoperable with other clients that conform to L2TP/IPSec standards, but it does not formally support those clients.

This section explains how to configure:

• System-wide parameters for PPTP and L2TP

• IPSec LAN-to-LAN connections

• IKE proposals for IPSec Security Associations and LAN-to-LAN connections

• NAT Transparency, which includes IPSec over TCP and NAT Traversal (NAT-T)

• WebVPN connections


Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security

To configure L2TP over IPSec, see Configuration | Tunneling and Security | IPSec | IKE Proposals, and Configuration | User Management.

Configuration | Tunneling and SecurityThis section of the Manager lets you configure system-wide parameters for tunneling protocols.

• PPTP: Configure PPTP parameters

• L2TP: Configure L2TP parameters

• IPSec: Configure IPSec parameters and connections

– LAN-to-LAN: IPSec LAN-to-LAN connections between two VPN Concentrators (or between the VPN Concentrator and another secure gateway)

– IKE Proposals: IKE proposals for IPSec Security Associations and LAN-to-LAN connections

– NAT Transparency: IPSec over TCP and IPSec over NAT-T

– Alerts: Disconnect notifications to clients and peers

• SSH: Configure a Secure Shell protocol server

• SSL: Configure Secure Socket Layer parameters for management and for WebVPN sessions

– HTTPS: Enable, port, and client authentication

– Protocols: Encryption protocols and SSL version

• WebVPN: Configure parameters for SSL VPN connections

Figure 15-1 Configuration | Tunneling and Security Screen


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | PPTP

Configuration | Tunneling and Security | PPTPThis screen lets you configure system-wide PPTP (Point-to-Point Tunneling Protocol) parameters.

The PPTP protocol defines mechanisms for establishing and controlling the tunnel, but uses Generic Routing Encapsulation (GRE) for data transfer.

PPTP is a client-server protocol. The VPN Concentrator always functions as a PPTP Network Server (PNS) and supports remote PC clients. The PPTP tunnel extends all the way from the PC to the VPN Concentrator.

PPTP is popular with Microsoft clients. Microsoft Dial-Up Networking (DUN) 1.2 and 1.3 under Windows 95/98 support it, as do versions of Windows NT 4.0, Windows 2000, and Windows XP. PPTP is typically used with Microsoft encryption (MPPE).

You can configure PPTP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have PPTP parameters; see Configuration | User Management.

Figure 15-2 Configuration | Tunneling and Security | PPTP Screen

Note Cisco supplies default settings for PPTP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.


78-15731-01


EnabledCheck the Enabled check box to enable PPTP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.

Caution Disabling PPTP terminates any active PPTP sessions.

Maximum Tunnel Idle TimeEnter the time, in seconds, to wait before disconnecting an established PPTP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). The maximum idle time is 86400 seconds (24 hours). The default is 5 seconds.

Packet Window SizeEnter the maximum number of received but unacknowledged PPTP packets that the system can buffer. The system must queue unacknowledged PPTP packets until it can process them. The minimum number of packets is 0. The maximum number is 32. The default is 16 packets.

Limit Transmit to WindowCheck the Limit Transmit to Window check box to limit the number of transmitted PPTP packets to the client’s packet window size. Ignoring the window improves performance, provided that the client can ignore the window violation. The box is unchecked by default.

Max. TunnelsEnter the maximum allowed number of simultaneously active PPTP tunnels. The minimum number of tunnels is 0. The maximum number of tunnels depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited tunnels (the default).

Max. Sessions/TunnelEnter the maximum number of sessions allowed per PPTP tunnel. The minimum number of sessions is 0. The maximum number of sessions depends on the VPN Concentrator model, for example, model 3060 = 5000. Enter 0 for unlimited sessions (the default).

Packet Processing DelayEnter the packet processing delay for PPTP flow control. This parameter is sent to the client in a PPTP control packet. Entries are in units of 100 milliseconds (0.1 second). The maximum delay is 65535; The default delay is 1 (0.1 second).


78-15731-01


Acknowledgement DelayEnter the number of milliseconds that the VPN Concentrator will wait to send an acknowledgement to the client when there is no data packet on which to piggyback an acknowledgement. Enter 0 to send an immediate acknowledgement. The minimum delay is 50 milliseconds. The maximum delay is 5000 milliseconds. The default delay is 500 milliseconds.

Acknowledgement TimeoutEnter the number of seconds to wait before determining that an acknowledgement has been lost, in other words, before resuming transmission to the client even though the transmit window is closed. The minimum number of seconds is 1. The maximum number of seconds is 10. The default value is 3 seconds.

Apply / CancelTo apply your PPTP settings and to include them in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Tunneling and Security screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | L2TP

Configuration | Tunneling and Security | L2TPThis screen lets you configure system-wide L2TP (Layer 2 Tunneling Protocol) parameters.

L2TP is a client-server protocol. It combines many features from PPTP and L2F (Layer 2 Forwarding), and is regarded as a successor to both. The L2TP protocol defines mechanisms both for establishing and controlling the tunnel and for transferring data.

The VPN Concentrator always functions as a L2TP Network Server (LNS) and supports remote PC clients. The L2TP tunnel extends all the way from the PC to the VPN Concentrator. When the client PC is running Windows 2000, the L2TP tunnel is typically layered over an IPSec transport connection.

You can configure L2TP on rules in filters; see Configuration | Policy Management | Traffic Management. Groups and users also have L2TP parameters; see Configuration | User Management.

Figure 15-3 Configuration | Tunneling and Security | L2TP Screen

Note Cisco supplies default settings for L2TP parameters that ensure optimum performance for typical VPN use. We strongly recommend that you not change the defaults without advice from Cisco personnel.


78-15731-01


EnabledCheck the Enabled check box to enable L2TP system-wide functions on the VPN Concentrator, or uncheck it to disable. The box is checked by default.

Caution Disabling L2TP terminates any active L2TP sessions.

Maximum Tunnel Idle TimeEnter the time in seconds to wait before disconnecting an established L2TP tunnel with no active sessions. An open tunnel consumes system resources. Enter 0 to disconnect the tunnel immediately after the last session terminates (no idle time). Maximum is 86400 seconds (24 hours). The default is 60 seconds.

Control Window SizeEnter the maximum number of unacknowledged L2TP control channel packets that the system can receive and buffer. The minimum number of packets is 1. The maximum number is 16. The default number is 4.

Control Retransmit IntervalEnter the time in seconds to wait before retransmitting an unacknowledged L2TP tunnel control message to the remote client. Minimum is 1 (the default), and maximum is 10 seconds.

Control Retransmit LimitEnter the number of times to retransmit L2TP tunnel control packets before assuming that the remote client is no longer responding. The minimum number of times is 1. The maximum number of times is 32. The default is 4 times.

Max. TunnelsEnter the maximum allowed number of simultaneously active L2TP tunnels. The minimum value is 0 tunnels. The maximum value depends on the VPN Concentrator model; for example, model 3060 can have a maximum of 5000 tunnels. Enter 0 for unlimited tunnels. The default value is 0.


78-15731-01


Max. Sessions/TunnelEnter the maximum number of sessions allowed per L2TP tunnel. The minimum number of sessions is 0. The maximum number depends on the VPN Concentrator model, for example: model 3060 = 5000. Enter 0 for unlimited sessions (the default).

Hello IntervalEnter the time in seconds to wait when the L2TP tunnel is idle (no control or payload packets received) before sending a Hello (or “keepalive”) packet to the remote client. The minimum wait time is 1 second. The maximum wait time is 3600 seconds. The default wait time is 60 seconds.

Apply / CancelTo apply your L2TP settings and to include them in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security screen.

Reminder:




78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec

Configuration | Tunneling and Security | IPSecThis section of the Manager lets you configure IPSec LAN-to-LAN connections, IKE (Internet Key Exchange) parameters for IPSec Security Associations and LAN-to-LAN connections, and NAT Transparency.

IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN connections and client-to-LAN connections can use IPSec.

In IPSec terminology, a “peer” is a remote-access client or another secure gateway. During tunnel establishment under IPSec, the two peers negotiate Security Associations that govern authentication, encryption, encapsulation, key management, etc. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPSec SA).

In IPSec LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In IPSec client-to-LAN connections, the VPN Concentrator functions only as responder. Initiators propose SAs; responders accept, reject, or make counter-proposals—all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.

The VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called “secure gateways”).

The Cisco VPN Client supports these IPSec attributes:

• Main mode for negotiating phase one ISAKMP Security Associations (SAs) when using digital certificates for authentication

• Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using preshared keys for authentication

• Authentication Algorithms:

– ESP-MD5-HMAC-128

– ESP-SHA1-HMAC-160

• Authentication Modes:

– Preshared Keys

– X.509 Digital Certificates

• Diffie-Hellman Groups 1, 2, 5, and 7

• Encryption Algorithms:

– AES-128, -192, and -256

– 3DES-168

– DES-56

– ESP-NULL

• Extended Authentication (XAuth)

• Mode Configuration (also known as ISAKMP Configuration Method)

• Tunnel Encapsulation Mode

• IP compression (IPCOMP) using LZS


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec

You configure IKE proposals (parameters for the IKE SA) here. You apply them to IPSec LAN-to-LAN connections in this section, and to IPSec SAs on the Configuration | Policy Management | Traffic Management | Security Associations screens. Therefore, you should configure IKE proposals before configuring other IPSec parameters. Cisco supplies default IKE proposals that you can use or modify.

Figure 15-4 Configuration | Tunneling and Security | IPSec Screen


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec | LAN-to-LAN

Configuration | Tunneling and Security | IPSec | LAN-to-LANThis section of the Manager lets you configure, add, modify, and delete IPSec LAN-to-LAN connections between two VPN Concentrators.

While the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN secure gateways, these instructions assume VPN Concentrators on both sides. And here, the “peer” is the other VPN Concentrator or secure gateway.

In a LAN-to-LAN connection, IPSec creates a tunnel between the public interfaces of two VPN Concentrators, which correspondingly route secure traffic to and from many hosts on their private LANs. There is no user configuration or authentication in a LAN-to-LAN connection; all hosts configured on the private networks can access hosts on the other side of the connection, at any time.

You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer. You must configure identical basic IPSec parameters on both VPN Concentrators and configure mirror-image private network addresses or network lists.

The VPN Concentrator also provides a network autodiscovery feature that dynamically discovers and updates the private network addresses on each side of the LAN-to-LAN connection, so you do not have to explicitly configure them. This feature works only when both devices are VPN Concentrators and both VPN Concentrators have routing enabled on the private interface.

You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens.

You must also configure IKE proposals before configuring LAN-to-LAN connections. See the Configuration | Tunneling and Security | IPSec | IKE Proposals screens.

If you are using a network list to specify the local or remote network, you must create the network list before you configure the LAN-to-LAN connection. See the Configuration | Policy Management | Traffic Management | Network Lists screen.

Backup LAN-to-LANsThe Backup LAN-to-LAN feature allows you to establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the entire VPN Concentrator, Backup LAN-to-LAN provides a failover for a particular LAN-to-LAN connection only. Although VRRP and Backup LAN-to-LAN are both means of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not. Whereas you cannot configure VRRP and load balancing on the same VPN Concentrator, you can configure Backup LAN-to-LAN and load balancing on the same device. Whereas VRRP backup peers cannot be geographically dispersed, redundant backup LAN-to-LAN peers do not have to be located at the same site.

Note This feature does not work with VRRP. If you are setting up a backup LAN-to-LAN configuration, disable VRRP.

A backup LAN-to-LAN configuration has two sides: a central side and a remote side. The central side is the endpoint of the connection where the backup VPN Concentrators reside. (If the backup VPN Concentrators reside in different geographic places, there may be more than one central side.) The endpoint of its LAN-to-LAN peer is the remote side. (See Figure 15-5.)


78-15731-01


Figure 15-5 The Two Endpoints of the Connection

The remote side VPN Concentrator has a peer list of all (up to ten) of the central side VPN Concentrators. The peers appear on the list in their order of priority. Each central side VPN Concentrator has a peer list of the (one) remote side peer.

In a backup LAN-to-LAN setup, the remote peer always initiates the connection. It tries to connect to the first VPN Concentrator on its peer list. If that VPN Concentrator is unavailable, then it tries to connect to the second peer on the list. It continues in this way until it connects to one of the peers on the list. Once the connection is established, if it later fails, the remote side peer again tries to connect to the first peer on its list. If that VPN Concentrator is unavailable, it tries the second--and so on. In this way, the remote VPN Concentrator reestablishes the LAN-to-LAN connection with only a brief interruption of service.

In a non-redundant LAN-to-LAN connection, the first data to travel from one peer to another brings up the IKE tunnel. The tunnel exists for the duration of the data transmission only. When the data stops transmitting, the tunnel goes down. In a backup LAN-to-LAN configuration, the peers establish the tunnel in a different manner. During IKE tunnel establishment, the VPN Concentrator at each endpoint of the LAN has a unique role. It can either originate or accept IKE tunnels. In most cases, you configure the remote side VPN Concentrator to originate the tunnel and the central side VPN Concentrator to accept it. Once the IPSec tunnel is established, data travels in both directions; each side can both receive and send data. The tunnel remains up at all times, even if data transmission stops.

The unique role of the VPN Concentrator in establishing the IKE tunnel is called its connection type. There are three connection types:

• Originate- Only: This VPN Concentrator originates the IKE tunnel. An originate-only endpoint is analogous to a telephone that only makes outgoing phone calls; it cannot receive calls.

• Answer-Only: This VPN Concentrator accepts the IKE tunnel. An answer-only connection is analogous to a telephone that only receives incoming calls; it cannot make calls.

• Bi-directional: This VPN Concentrator can either originate or accept the IKE tunnel. It is like a telephone that can both make calls and receive calls.

For backup LAN-to-LAN, configure the remote side VPN Concentrator with a connection type of Originate-Only; configure the central side VPN Concentrator with a connection type of Answer-Only.

Configure the LAN-to-LAN parameters of all the central side VPN Concentrators in the backup LAN-to-LAN setup identically. Except for the Connection Type and Peer List, configure the LAN-to-LAN parameters identically for the remote and central side peers as well.

8395

4

Remote Side

Internet

VPN Concentrator VPN Concentrator

VPN Concentrator

VPN Concentrator

Central Side


78-15731-01


It is a good idea to configure Reverse Route Injection on both the remote and central side peers. If you do not use RRI, you will have to configure the routes manually. Keep in mind that the VPN Concentrators do not send out routes until they establish the IKE connection and thus know the IP addresses of the tunnel endpoints.

Figure 15-6 shows an example backup LAN-to-LAN configuration.

Figure 15-6 An Example Backup LAN-to-LAN Configuration

Figure 15-7 Configuration | Tunneling and Security | IPSec LAN-to-LAN Screen

8399

7

Remote Side

Internet

VPN ConcentratorPublic interface 192.168.0.1Peer list 150.150.0.1

150.150.0.2 150.150.0.3

Connection type: Originate-Only

VPN ConcentratorPublic interface 150.150.0.2Peer list 192.168.0.1 Connection type: Answer-Only



Central Side


78-15731-01


LAN-to-LAN ConnectionThe LAN-to-LAN Connection list shows connections that have been configured. The connections are listed in alphabetical order. Entries have the following formats:

• If the LAN-to-LAN Connection is Bi-Directional or Answer-Only, its entry appears in the format: Name (Peer IP Address) on Interface (Interface Type). For example:Branch 1 (192.168.34.56) on Ethernet 2 (Public)

• If the LAN-to-LAN Connection is Originate-Only, it appears in the format: Name on Interface (Interface Type). For example: Branch 1 on Ethernet 2 (Public)

Disabled LAN-to-LAN connections are marked (D). If no connections have been configured, the list shows --Empty--.

Add / Modify / DeleteTo configure and add a new connection, click Add. See the Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add screen. If you have not configured a public interface, the Manager displays the Configuration | Tunneling and Security | IPSec LAN-to-LAN | No Public Interfaces screen.

To modify the parameters of a configured connection, select the connection from the list and click Modify. See the Configuration | Tunneling and Security | IPSec LAN-to-LAN | Modify screen.

To delete a configured connection, select the connection from the list and click Delete.


The Manager deletes the connection, its LAN-to-LAN filter rules, SAs, and group. The Manager then refreshes the screen and shows the remaining connections in the list.

Caution Deleting a connection immediately deletes any tunnels (and user sessions) using that connection.

Reminder:



78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec | LAN-to-LAN | No Public Interfaces

Configuration | Tunneling and Security | IPSec | LAN-to-LAN | No Public Interfaces

The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add an IPSec LAN-to-LAN connection. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.

You should designate only one VPN Concentrator interface as a public interface.

Figure 15-8 Configuration | Tunneling and Security | IPSec LAN-to-LAN | No Public Interfaces Screen

Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify

Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or Modify


• Add: Configure and add a new IPSec LAN-to-LAN connection.

• Modify: Modify parameters of a configured IPSec LAN-to-LAN connection.

You must configure a public interface on the VPN Concentrator before you can configure an IPSec LAN-to-LAN connection. See the Configuration | Interfaces screens.

You can configure only one LAN-to-LAN connection with each VPN Concentrator (or other secure gateway) peer.

The maximum number of LAN-to-LAN connections supported is determined by the hardware and is model-dependent.

Table 15-1 Maximum LAN-to-LAN Connections for Each VPN Concentrator Model

VPN Concentrator Model Maximum Number of Sessions

3005 & 3015 100

3020 & 3030 500

3060 & 3080 1000


78-15731-01


Figure 15-9 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add or Modify Screen


78-15731-01


When you Add or Modify a connection on these screens, the VPN Concentrator automatically:

• Creates or modifies two filter rules with the Apply IPSec action: one inbound, one outbound, named L2L:<Name> In and L2L:<Name> Out.

• Creates or modifies an IPSec Security Association named L2L:<Name>.

• Applies these rules to the filter on the public interface and applies the SA to the rules. If the public interface does not have a filter, it applies the Public (default) filter with the preceding rules.

• Creates or modifies a group named with the Peer IP address. If the VPN Concentrator internal authentication server has not been configured, it does so, and adds the group to the database.

All of the rules, SAs, filters, and group have default parameters or those specified on this screen. You can modify the rules and SA on the Configuration | Policy Management | Traffic Management screens, the group on the Configuration | User Management | Groups screens, and the interface on the Configuration | Interfaces screens. However, we recommend that you keep the configured defaults. You cannot delete these rules, SAs, or group individually; the system automatically deletes them when you delete the LAN-to-LAN connection.

To fully configure a LAN-to-LAN connection, you must configure identical IPSec LAN-to-LAN parameters on both VPN Concentrators, and configure mirror-image local and remote private network addresses. For example:

If you use network lists, you must also configure and apply them as mirror images on the two VPN Concentrators. If you use network autodiscovery, you must use it on both VPN Concentrators.

Caution On the Modify screen, any changes take effect as soon as you click Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.

EnableCheck the Enable check box to enable this LAN-to-LAN connection. To disable this connection, uncheck the check box. By default, this option is enabled.

This option can be useful for debugging, as it allows you to disable a LAN-to-LAN configuration without deleting it.

To disable a LAN-to-LAN connection, it is sufficient to uncheck this option on either the central site or the remote peer VPN Concentrator. You do not have to uncheck it on both.

NameEnter a unique descriptive name for this connection. The maximum name length is 32 characters. Since the created rules and SA use this name, we recommend that you keep it short.

Configure On this VPN Concentrator On Peer VPN Concentrator

Local Network 10.10.0.0/0.0.255.255 11.0.0.0/0.255.255.255

Remote Network 11.0.0.0/0.255.255.255 10.10.0.0/0.0.255.255


78-15731-01


Interface Add screen:

• Click the Interface drop-down menu button and select the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. The list shows all interfaces that have the Public Interface parameter enabled. See Configuration | Interfaces.

Modify screen:

• The screen shows the configured public interface on this VPN Concentrator for this end of the LAN-to-LAN connection. You cannot change the interface. To move the connection to another interface, you must delete this connection and add a new one for the other interface.

Connection TypeEnter the role of this VPN Concentrator in IKE tunnel establishment. For a non-redundant LAN-to-LAN configuration, use Bi-directional. If this VPN Concentrator is a remote side peer in a backup LAN-to-LAN setup, choose Originate Only; if it is a central side peer, choose Answer-Only. For more information on configuring LAN-to-LAN redundancy, see the “Backup LAN-to-LANs” section on page 15-11.

• Bi-directional: This VPN Concentrator can either initiate or accept IKE tunnels.

• Answer-only: This VPN Concentrator only accepts IKE tunnels; it does not initiate them.

• Originate-only: This VPN Concentrator only initiates IKE tunnels; it does not accept them.

Note You cannot use XML to modify either the Connection Type or the Peers fields. The XML request reports success, but the configuration file remains unchanged.

PeersEnter the IP address of the public interface of this VPN Concentrator’s LAN-to-LAN peer. Use dotted decimal notation, for example: 192.168.34.56.

If this is a remote side VPN Concentrator in a backup LAN-to-LAN configuration, you may configure up to ten peers. List the peers from top to bottom in order of their priority. For more information on configuring LAN-to-LAN redundancy, see the “Backup LAN-to-LANs” section on page 15-11.

Digital CertificateThis parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management.

Click the Digital Certificate drop-down menu button and choose the option. The list shows any digital certificates that have been installed, plus:

• None (Use Preshared Keys) = Use only preshared keys to authenticate the peer during Phase 1 IKE negotiations. This is the default choice.


78-15731-01


Certificate TransmissionIf you configured authentication using digital certificates, choose the type of certificate transmission.

• Entire certificate chain = Send the peer the identity certificate and all issuing certificates. Issuing certificates include the root certificate and any subordinate CA certificates.

• Identity certificate only = Send the peer only the identity certificate.

Preshared KeyEnter a preshared key for this connection. Use a minimum of 4, a maximum of 32, alphanumeric characters, for example: sZ9s14ep7. The system displays your entry in clear text.

This key becomes the password for the IPSec LAN-to-LAN group that is created, and you must enter the same key on the peer VPN Concentrator. (This is not a manual encryption or authentication key. The system automatically generates those session keys.)

AuthenticationThis parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as “data integrity” in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.

Click the Authentication drop-down menu button and choose the algorithm:

• None = No data authentication.

• ESP/MD5/HMAC-128 = ESP protocol using HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default choice.

• ESP/SHA/HMAC-160 = ESP protocol using HMAC with the SHA-1 hash function using a 160-bit key. This choice is more secure but requires more processing overhead.


78-15731-01


EncryptionThis parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.

Click the Encryption drop-down menu button and choose the algorithm:

• Null = Use ESP without encryption; no packet encryption.

• DES-56 = Use DES encryption with a 56-bit key.

• 3DES-168 = Use Triple-DES encryption with a 168-bit key. This is the default.

• AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.

• AES-192 = AES encryption with a 192-bit key.


IKE ProposalThis parameter specifies the set of attributes for Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | Tunneling and Security | IPSec | IKE Proposals screen. You must configure, activate, and prioritize IKE proposals before configuring LAN-to-LAN connections.

Click the IKE Proposal drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are:

• CiscoVPNClient-3DES-MD5 = Use preshared keys (XAUTH) and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys. This choice allows XAUTH user-based authentication and is the default.

• IKE-3DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys.

• IKE-3DES-MD5-DH1 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 1 to generate SA keys. This choice is compatible with the VPN Client.

• IKE-DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use DES-56 encryption. Use D-H Group 1 to generate SA keys. This choice is compatible with the VPN Client.

• IKE-3DES-MD5-DH7 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 7 (ECC) to generate SA keys. This IKE proposal is intended for use with the movianVPN client; it can also be used with any peer that supports ECC groups for D-H.

• IKE-3DES-MD5-RSA = Use RSA digital certificate and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 2 to generate SA keys.

• IKE-AES128-SHA = Use Preshared keys and SHA/HMAC-160 for authentication. Use AES-128 for encryption. Use D-H Group 2 or Group 5 to generate SA keys.


78-15731-01


Filter


Click the Filter drop-down menu button and select the filter:

• --None-- = No filter applied, which means there are no restrictions on tunneled data traffic. This is the default selection.





IPSec NAT-TNAT-T (NAT Traversal) lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.

The VPN Concentrator implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:

• One Microsoft L2TP/IPSec client (can support other remote access clients and one L2TP/IPSec client).

• One LAN-to-LAN connection.

• Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.

To use NAT-T you must:

• Open port 4500 on any firewall you have configured in front of a VPN Concentrator.

• Reconfigure previous IPSec/UDP settings using port 4500 to a different port.

• Enable IPSec over NAT-T globally in the Configuration | Tunneling and Security | IPSec | NAT Transparency screen.

• Select the second or third option for the Fragmentation Policy parameter in the Configuration | Interfaces | Ethernet screen. These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.

Check the box to enable NAT-T for this LAN-to-LAN connection.


78-15731-01


Bandwidth PolicySelect a bandwidth policy to apply to this IPSec LAN-to-LAN connection from the drop-down list. If there are no policies in this list, you must go to Configuration | Policy Management | Traffic Management | Bandwidth Policies and define one or more policies. If you do not want to select a policy here, then select None. For more information on the Bandwidth Management feature, see the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen.

RoutingThe VPN Concentrator provides two ways to advertise static LAN-to-LAN routes.

• Reverse Route Injection = The local VPN Concentrator adds the addresses of one or more remote networks to its routing table and advertises these entries to specified networks on the local LAN. If you choose this option, specify the Local and Remote Network parameters that follow. Then, enable RIP or OSPF on the private interface.

• Network Autodiscovery = This feature dynamically discovers and continuously updates the private network addresses on each side of the LAN-to-LAN connection. This feature uses RIP. You must enable Inbound RIP RIPv2/v1 on the Ethernet 1 (Private) interface of both VPN Concentrators. (See the “Configuration | Interfaces” section.) If you choose this option, skip the Local and Remote Network parameters; they are ignored.

• None = Do not advertise static LAN-to-LAN routes.

Local NetworkThese entries identify the private network on this VPN Concentrator, the hosts of which can use the LAN-to-LAN connection.

• These entries must match those in the Remote Network section on the peer VPN Concentrator.

• If you are using a LAN-to-LAN NAT rule, this is the translated network address.

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the local network addresses. A network list is a list of network addresses that are treated as a single object. (See the Configuration | Policy Management | Traffic Management | Network Lists screens.)

To enter a network address, choose Use IP Address/Wildcard-mask below.

If you want to use a network list that you have not yet configured, choose Create New Network List. The VPN Concentrator displays the Configuration | Tunneling and Security | IPSec LAN-to-LAN | Local Network List window, which allows you to create the network list.

If you choose a network list, the Manager ignores entries in the IP Address and Wildcard Mask fields.

Note An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. In other words, the wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:


78-15731-01


0.0.0.0/255.255.255.255 = any address10.10.1.35/0.0.0.0 = only 10.10.1.3510.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses

IP Address

Enter the IP address of the private local network on this VPN Concentrator. Use dotted decimal notation, for example: 10.10.0.0.

Wildcard Mask

Enter the wildcard mask for the private local network. Use dotted decimal notation, for example: 0.0.255.255. The system supplies a default wildcard mask appropriate to the IP address class.

Remote NetworkThese entries identify the private network on the remote peer VPN Concentrator whose hosts can use the LAN-to-LAN connection.

• These entries must match those in the Local Network section on the peer VPN Concentrator.

• If you are using a LAN-to-LAN NAT rule, this is the remote network address.

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the remote network addresses. A network list is a list of network addresses that are treated as a single object. (See the Configuration | Policy Management | Traffic Management | Network Lists screens.)

If you want to use a network list that you have not yet configured, choose Create New Network List. The VPN Concentrator displays the Configuration | Tunneling and Security | IPSec LAN-to-LAN | Remote Network List window, which allows you to create the network list.

To enter a network address, choose Use IP Address/Wildcard-mask below.

If you choose a network list, the Manager ignores entries in the IP Address and Wildcard-mask fields.

Note An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. In other words, the wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:0.0.0.0/255.255.255.255 = any address10.10.1.35/0.0.0.0 = only 10.10.1.3510.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses

IP Address

Enter the IP address of the private network on the remote peer VPN Concentrator. Use dotted decimal notation, for example: 11.0.0.1.


78-15731-01


Wildcard Mask

Enter the wildcard mask for the private remote network. Use dotted decimal notation, for example: 0.255.255.255. The system supplies a default wildcard mask appropriate to the IP address class.

Add or Apply / Cancel• Add screen: To add this connection to the list of configured LAN-to-LAN connections, click Add.

If you are creating new network lists, the Manager automatically displays the appropriate Local or Remote Network List screens. Otherwise, the Manager displays the Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add | Done screen.

• Modify screen: To apply your changes to this LAN-to-LAN connection, click Apply. The Manager returns to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen.

Caution Any changes take effect as soon as you click Apply. If client sessions are using this connection, changes delete the tunnel (and the sessions) without warning.

Reminder:


To discard your entries, click Cancel. The Manager returns to the Configuration | Tunneling and Security| IPSec | LAN-to-LAN screen, and the LAN-to-LAN Connection list is unchanged.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Local or Remote Network List

Configuration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Local or Remote Network List

These screens let you configure and add network lists for the Local Network or Remote Network of a new IPSec LAN-to-LAN connection. The Manager automatically opens these screens if you choose Create new Network List under Network List on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add screen.

A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens also.

On the Local Network List screen, the Manager can automatically generate a network list using the valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.)

A single network list can contain a maximum of 10 network entries.

Figure 15-10 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add | Local or Remote

Network List Screen


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Local or Remote Network List

List NameThe Manager supplies a default name that identifies the list as a LAN-to-LAN local or remote list, which we recommend you keep. Otherwise, enter a unique name for this network list. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.

If you use the Generate Local List feature on the Local Network List screen, edit this name after the system generates the network list.

Network ListEnter the networks in this network list. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is the network IP address and w.w.w.w is the wildcard mask.

Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.

If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.

You can enter a maximum of 200 networks in a single network list.

Generate Local ListOn the Local Network List screen, click the Generate Local List button to have the Manager automatically generate a network list using the first 200 valid network routes in the routing table for the Ethernet 1 (Private) interface of this VPN Concentrator. (See Monitoring | Routing Table.) The Manager refreshes the screen after it generates the list, and you can then edit the Network List and the List Name.

ApplyTo add this network list to the configured network lists, click Apply. The Manager displays either the Remote Network List screen or the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Done

Configuration | Tunneling and Security | IPSec| LAN-to-LAN | Add | Done

The Manager displays this screen when you have finished configuring all parameters for a new IPSec LAN-to-LAN connection. It documents the added configuration entities.

The Manager displays this screen only once. We suggest you print a copy of the screen to save it for your records.

To examine or modify an entity, see the appropriate screen:

• Group: See Configuration | User Management | Groups.

• Security Association: See Configuration | Policy Management | Traffic Management | Security Associations.

• Filter Rules: See Configuration | Policy Management | Traffic Management | Rules.

You cannot delete the group, SA, or rules individually, nor can you remove the rules from their filter. The system automatically deletes them when you delete the LAN-to-LAN connection.

Figure 15-11 Configuration | Tunneling and Security | IPSec LAN-to-LAN | Add | Done Screen

OKTo close this screen and return to the Configuration | Tunneling and Security | IPSec | LAN-to-LAN screen, click OK. The LAN-to-LAN Connection list shows the new connection, and the Manager includes all the new settings in the active configuration.

Reminder:



78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec | IKE Proposals

Configuration | Tunneling and Security | IPSec | IKE ProposalsThis section of the Manager lets you configure, add, modify, activate, deactivate, delete, and prioritize IKE proposals, which are sets of parameters for Phase 1 IPSec negotiations. During Phase 1, the two peers establish a secure tunnel within which they then negotiate the Phase 2 parameters.

The VPN Concentrator uses IKE proposals both as initiator and responder in IPSec negotiations. In LAN-to-LAN connections, the VPN Concentrator can function as initiator or responder. In client-to-LAN connections, the VPN Concentrator functions only as responder.

You must configure, activate, and prioritize IKE proposals before you configure IPSec Security Associations. See Configuration | Policy Management | Traffic Management | Security Associations, or click the Security Associations link on this screen.

You must also configure and activate IKE proposals before configuring IPSec LAN-to-LAN connections. See Configuration | Tunneling and Security | IPSec | LAN-to-LAN.

You can configure a maximum of 150 IKE proposals total (active and inactive).

Figure 15-12 Configuration | Tunneling and Security | IPSec | IKE Proposals Screen

Cisco supplies default IKE proposals that you can use or modify; see Table 15-2. The documentation for the VPN Client and for the VPN 3002 Hardware Client each include a table of all valid IKE proposals for remote access connections. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add for explanations of the parameters.


78-15731-01


Table 15-2 Cisco-Supplied Default IKE Proposals: Proposals Active by Default

Proposal Name

Authen-tication Mode

Authen-ticationAlgorithm

Encryption Algorithm

Diffie-HellmanGroup

Lifetime Measure-ments

Data Lifetime

Time Lifetime

CiscoVPNClient-3DES-MD5

PresharedKeys (XAUTH)

MD5/HMAC-128

3DES-168 Group 2(1024-bits)

Time 10000 KB 86400 sec

IKE-3DES-MD5 Preshared Keys

MD5/HMAC-128


Time 10000 KB 86400 sec

IKE-3DES-MD5-DH1

Preshared Keys

MD5/HMAC-128


Time 10000 KB 86400 sec

IKE-DES-MD5 Preshared Keys

MD5/HMAC-128

DES-56 Group 1(768-bits)

Time 10000 KB 86400 sec

IKE-3DES-MD5-DH7

Preshared Keys

MD5/HMAC-128

3DES-168 Group 7 (ECC)

(163-bits)

Time 10000 KB 86400 sec

IKE-3DES-MD5-RSA

RSA Digital Certificate

MD5/HMAC-128


Time 10000 KB 86400 sec

IKE-AES128-SHA Preshared Keys

SHA/HMAC-160

AES-128 Group 2(1024-bits)

Time 10000 KB 86400 sec

CiscoVPNClient-AES128- SHA

Preshared Keys

SHA/HMAC-160


Time 10000 KB 86400 sec

CiscoVPNClient-3DES-MD5-DH5

3DES-168 MD5/HMAC-128

3DES-168 Group 51536-bits

Time 10000 KB 86400 sec


78-15731-01


Table 15-3 Cisco-Supplied Default IKE Proposals: Proposals Inactive by Default

Active ProposalsThe field shows the names of IKE proposals that have been configured, activated, and prioritized. As an IPSec responder, the VPN Concentrator checks these proposals in priority order, to see if it can find one that agrees with parameters in the initiator’s proposed SA.

Activating a proposal also makes it available for use wherever the Manager displays an IKE Proposal list, and the first active proposal appears as the default selection.

Inactive ProposalsThe field shows the names of IKE proposals that have been configured but are inactive. New proposals appear in this list when you first configure and add them. The VPN Concentrator does not use these proposals in any IPSec negotiations, nor do they appear in IKE Proposal lists.

Note To configure L2TP over IPSec, you must activate IKE-3DES-MD5-RSA. Also see the Configuration | User Management screens.

<< ActivateTo activate an inactive IKE proposal, select it from the Inactive Proposals list and click the <<Activate button. The Manager moves the proposal to the Active Proposals list and refreshes the screen.

Proposal NameAuthen. Mode

Authen. Algorithm

Encryption Algorithm

Diffie-HellmanGroup

Lifetime Measure-ments

Data Lifetime

Time Lifetime

IKE-3DES-SHA-DSA


SHA/HMAC-160


Time 10000 KB 86400 sec

IKE-3DES-MD5-RSA-DH1


MD5/HMAC-128


Time 10000 KB 86400 sec

IKE-DES-MD5-DH7

Preshared Keys

MD5/HMAC-128

DES-56 Group 7 (ECC)

(163-bits)

Time 10000 KB 86400 sec

CiscoVPNClient-3DES-MD5-RSA

RSA Digital Certificate (XAUTH)

MD5/HMAC-128


Time 10000 KB 86400 sec

CiscoVPNClient-3DES-SHA-DSA

DSA DigitalCertificate (XAUTH)

SHA/HMAC-160


Time 10000 KB 86400 sec

CiscoVPNClient-AES256-SHA

Preshared Keys

SHA/HMAC-160


Time 10000 KB 86400 sec

IKE-AES256-SHA Preshared Keys

SHA/HMAC-160


Time 10000 KB 86400 sec


78-15731-01


>> DeactivateTo deactivate an active IKE proposal, select it from the Active Proposals list and click the >>Deactivate button. If the active proposal is configured on a Security Association, the Manager displays an error message; and you must remove it from the SA before you can deactivate it. Otherwise, the Manager moves the proposal to the Inactive Proposals list and refreshes the screen.

Move Up / Move DownTo change the priority order of an active IKE proposal, select it from the Active Proposals list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Active Proposals list. These actions move the proposal up or down one position.

AddTo configure and add a new IKE proposal to the list of Inactive Proposals, click the Add button. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Add.

ModifyTo modify a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Modify button. See Configuration | Tunneling and Security | IPSec | IKE Proposals | Modify. Modifying an active proposal does not affect connections currently using it, but changes do affect subsequent connections.

CopyTo use a configured IKE proposal as the basis for configuring and adding a new one, select it from either Active Proposals or Inactive Proposals and click the Copy button. See Configuration | Tunneling and Security| IPSec | IKE Proposals | Copy. The new proposal appears in the Inactive Proposals list.

DeleteTo delete a configured IKE proposal, select it from either Active Proposals or Inactive Proposals and click the Delete button. If an active proposal is configured on a Security Association, the Manager displays an error message; and you must remove it from the SA before you can delete it. Otherwise, there is no confirmation or undo. The Manager refreshes the screen and shows the remaining IKE proposals in the list.

Reminder:



78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy

Configuration | Tunneling and Security | IPSec | IKE Proposals | Add, Modify, or Copy


• Add: Configure and add a new inactive IKE proposal.

• Modify: Modify a previously configured IKE proposal.

• Copy: Copy a configured IKE proposal, modify its parameters, save it with a new name, and add it to the configured inactive IKE proposals.

You can configure a maximum of 150 IKE proposals total (active and inactive), and you can make any number of them active.

Figure 15-13 Configuration | Tunneling and Security | IPSec | IKE Proposals |

Add Screen.

Proposal NameEnter a unique name for this IKE proposal. The maximum name length is 48 characters. Entries are case-sensitive. Spaces are allowed.


78-15731-01


Authentication ModeThis parameter specifies how to authenticate the remote client or peer. Authentication proves that the connecting entity is the one you think it is. If you select one of the digital certificate modes, an appropriate digital certificate must be installed on this VPN Concentrator and the remote client or peer. See the discussion under Administration | Certificate Management.

Click the Authentication Mode drop-down menu button and choose the method:

• Preshared Keys = Use preshared keys (the default). The keys are derived from the password of the user’s or peer’s group.

• RSA Digital Certificate = Use a digital certificate with keys generated by the RSA algorithm.

• DSA Digital Certificate = Use a digital certificate with keys generated by the DSA algorithm.

• Preshared Keys (XAUTH) = Use preshared keys (the default). The keys are derived from the password of the user’s or peer’s group. Require user-based authentication via XAUTH.

• RSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the RSA algorithm. Require user-based authentication via XAUTH.

• DSA Digital Certificate (XAUTH) = Use a digital certificate with keys generated by the DSA algorithm. Require user-based authentication via XAUTH.

Authentication AlgorithmThis parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from the source you think it comes from.

Click the Authentication Algorithm drop-down menu button and choose one of the following algorithms:

• MD5/HMAC-128 = HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default choice.

• SHA/HMAC-160 = HMAC with the SHA-1 hash function using a 160-bit key. This choice is more secure but requires more processing overhead.

Encryption AlgorithmThis parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.

Click the Encryption Algorithm drop-down menu button and choose the algorithm:

• DES-56 = Data Encryption Standard (DES) encryption with a 56-bit key.

• 3DES-168 = Triple-DES encryption with a 168-bit key. This is the default.

• AES-128 = Advanced Encryption Standard (AES) encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than triple DES.



When you select an encryption algorithm, the Manager selects and displays the default Diffie-Hellman group for that encryption algorithm. You can


78-15731-01


Diffie-Hellman GroupThis parameter specifies the Diffie-Hellman group used to generate IPSec SA keys. The Diffie-Hellman technique generates keys using prime numbers and “generator” numbers in a mathematical relationship. When you choose an encryption algorithm, the Manager automatically selects the default Diffie-Hellman group for that algorithm; you can change the group here if you want, subject to the constraints noted below.

Note For the VPN 3002 Hardware Client: To use Groups 1 or 5, you must be using digital certificates. Otherwise, only Group 2 is available. To use Groups 1 or 5, make sure there is a digital certificate installed on the VPN 3002; and on the VPN Concentrator, choose one of the digital certificate authentication options under Authentication Mode.

Click the Diffie-Hellman Group drop-down menu button and choose the group:

• Group 1 (768-bits) = Use Diffie-Hellman Group 1 to generate IPSec SA keys, where the prime and generator numbers are 768 bits. Choose this option if you select DES-56 under Encryption Algorithm.

• Group 2 (1024-bits) = Use Diffie-Hellman Group 2 to generate IPSec SA keys, where the prime and generator numbers are 1024 bits. This is the default choice for use with the 3DES-168 Encryption Algorithm.

• Group 5 (1536-bits) = Use Diffie-Hellman Group 5 to generate IPSec SA keys, where the prime and generator numbers are 1536 bits. This is the default choice for use with the AES encryption algorithms. It works only for LAN-to-LAN connections, and for clients using certificates.

• Group 7 (ECC) = Use Diffie-Hellman Group 7 to generate IPSec SA keys, where the elliptical curve field size is 163 bits. You can use this option with any encryption algorithm. This option is intended for use with the movianVPN client, but you can use it with any peers that support Group 7 (ECC).

Lifetime MeasurementThis parameter specifies how to measure the lifetime of the IKE SA keys, which is how long the IKE SA lasts until it expires and must be renegotiated with new keys. It is used with the Data Lifetime or Time Lifetime parameters.

Note If the peer proposes a shorter lifetime measurement, the VPN Concentrator uses that lifetime measurement instead.

Click the Lifetime Measurement drop-down menu button and choose the measurement method:

• Time = Use time (seconds) to measure the lifetime of the SA (the default). Configure the Time Lifetime parameter below.

• Data = Use data (number of kilobytes) to measure the lifetime of the SA. Configure the Data Lifetime parameter below.

• Both = Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time Lifetime and Data Lifetime parameters.

• None = No lifetime measurement. The SA lasts until terminated for other reasons. It lasts a maximum of 86400 seconds (24 hours).


78-15731-01


Data LifetimeIf you choose Data or Both under Lifetime Measurement, enter the number of kilobytes of payload data after which the IKE SA expires. The minimum number is 10 KB. The default number is 10000 KB. The maximum number is 2147483647 KB.

Time LifetimeIf you choose Time or Both under Lifetime Measurement, enter the number of seconds after which the IKE SA expires. The minimum number is 60 seconds. The default number is 86400 seconds (24 hours). The maximum number is 2147483647 seconds (about 68 years).

Add or Apply / CancelAdd or Copy screen:

• To add this IKE proposal to the list of Inactive Proposals, click Add or Apply. The Manager returns to the Configuration | Tunneling and Security | IPSec | IKE Proposals screen. To use the new proposal, you must activate and prioritize it as explained for that screen.

Modify screen:

• To apply your changes to this IKE proposal, click Apply. The Manager returns to the Configuration | Tunneling and Security | IPSec | IKE Proposals screen. If you modify an active proposal, changes do not affect connections currently using it, but they do affect subsequent connections.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Tunneling and Security | IPSec | IKE Proposals screen, and the IKE proposals lists are unchanged.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec | NAT Transparency

Configuration | Tunneling and Security | IPSec | NAT Transparency

This screen lets you configure NAT Transparency, which consists of IPSec over TCP and IPSec over NAT Traversal (NAT-T).

Figure 15-14 Configuration | Tunneling and Security | IPSec | NAT Transparency Screen

IPSec over TCPIPSec over TCP enables a VPN client to operate in an environment in which standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls.

Note This feature does not work with proxy-based firewalls.

IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections.

• The VPN Concentrator can simultaneously support standard IPSec, IPSec over TCP, NAT-Traversal, and IPSec over UDP, depending on the client with which it is exchanging data.

• The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPSec, IPSec over TCP, NAT-Traversal, or IPSec over UDP.

• When enabled, IPSec over TCP takes precedence over all other methods.

• When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence.


78-15731-01


To use IPSec over TCP, both the VPN Concentrator and the client must:

• Be running version 3.5 or later software.

• Enable IPSec over TCP.

• Configure the same port for IPSec over TCP on both the Concentrator and the client.

You enable IPSec over TCP on both the Concentrator and the client to which it connects. For software clients, refer to the VPN Client User Guide for configuration instructions. For the VPN 3002 hardware client, refer to the VPN 3002 Hardware Client Getting Started guide, and to the VPN 3002 Hardware Client Reference.

If you enter a well-known port, for example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated with that port will no longer work on the public interface. The consequence is that you can no longer use a browser to manage the VPN Concentrator through the public interface. To solve this problem, reconfigure the HTTP/HTTPS management to different ports.

You must configure TCP port(s) on the client as well as on the VPN Concentrator. The client configuration must include at least one of the ports you set for the VPN Concentrator here.

Check the box to enable IPSec over TCP.

TCP Port(s)Enter up to 10 ports, using a comma to separate the ports. You do not need to use spaces. The default port is 10,000. The range is 1 to 65,635.

IPSec over NAT-TNAT-T (NAT Traversal) lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary.

Both the VPN Client and the VPN 3002 Hardware Client support NAT-T in software version 3.6 and later.

• To enable NAT-T on the VPN Client, see the VPN Client Administrator Guide.

• The VPN 3002 uses NAT-T by default, and requires no configuration.

Remote access clients that support both NAT-T and IPSec/UDP methods first attempt NAT-T, and then IPSec/UDP (if enabled) if a NAT device is not auto-detected, allowing IPSec traffic to pass through firewalls that disallow IPSec.

The VPN Concentrator implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:

• One Microsoft L2TP/IPSec client.

• One LAN-to-LAN connection.

• Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.


78-15731-01


To use NAT-T you must:

• Open port 4500 on any firewall you have configured in front of a VPN Concentrator.

• Reconfigure previous IPSec/UDP configurations using port 4500 to a different port.

• Select the second or third options for the Fragmentation Policy parameter in the Configuration | Interfaces | Ethernet screen.These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.

• Check the box in this screen to Enable IPSec over NAT-T.

Note IPSec over TCP is a TCP encapsulation rather than a full TCP connection. In software versions prior to 3.6.7.B, the VPN Concentrator did not limit data transmission by window size, so sometimes stateful firewalls shut down the TCP session. In software versions 3.6.7.B and later, the VPN Concentrator enforces a 64K window size on the connection to avoid connection shutdown. As a result, large data transfers might result in packet loss of end-to-end data. The VPN Concentrator does not retransmit dropped packets; the peer application must detect the dropping and recover from it. If you are running UDP streaming applications such as video or voice, you might notice choppy transmission.

Check the box to enable IPSec over NAT Traversal.

Apply / CancelTo apply your IPSec over TCP and NAT-T settings, click Apply. The Manager returns to the Configuration | Tunneling and Security | IPSec screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Tunneling and Security | IPSec screen, and your configuration is unchanged.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | IPSec | Alerts

Configuration | Tunneling and Security | IPSec | AlertsThe VPN Concentrator notifies qualified VPN Concentrator peers (in LAN-to-LAN configurations), VPN Clients and VPN 3002 Hardware Clients of sessions that are about to be disconnected, and it conveys to them the reason. The Concentrator or client receiving the alert decodes the reason and displays it in the event log or in a pop-up screen. This feature is enabled by default.

This screen lets you disable the feature so that the VPN Concentrator does not send or receive these alerts.

Figure 15-15 Configuration | Tunneling and Security | IPSec | Alerts Screen

Alert when disconnecting

By default alerts are enabled.

Uncheck the box to disable alerts. When you disable alerts

• The VPN Concentrator does not notify clients or peer VPN Concentrators when it disconnects a session.

• The VPN Concentrator does not receive alerts from VPN 3002 Hardware Clients, software clients, or peer VPN Concentrators when they disconnect a session.

Qualified Clients and Peers

IPSec clients and VPN Concentrators receive alerts about impending disconnects according to the following qualifications:

• VPN Clients running 4.0 or greater software (no configuration required).

• VPN 3002 Hardware Clients running 4.0 or greater software, with Alerts enabled (Configuration | Tunneling and Security | IPSec | Alerts screen).

• VPN Concentrators running 4.0 or greater software, with Alerts enabled.

Apply / CancelTo apply your Alert setting, and to include your setting in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security | IPSec screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | SSH

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Tunneling and Security | IPSec screen.

Configuration | Tunneling and Security | SSHThis screen lets you configure the VPN Concentrator SSH (Secure Shell) protocol server. SSH is a secure Telnet-like terminal emulator protocol that you can use to manage the VPN Concentrator, using the Command Line Interface, over a remote connection. The VPN Concentrator supports SSH1 (protocol version 1.5), which uses two RSA keys for security. All communication over the connection is encrypted.

At the start of an SSH session, the VPN Concentrator sends both a host key and a server key to the client, which responds with a session key that it generates and encrypts using the host and server keys. The RSA key of the SSL certificate is used as the host key, which uniquely identifies the VPN Concentrator. See the next section, Configuration | Tunneling and Security | SSL.

Figure 15-16 Configuration | Tunneling and Security | SSH Screen

Enable SSHCheck the Enable SSH check box to enable the SSH server. The box is checked by default. Disabling the SSH server provides additional security by preventing SSH access.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | SSH

SSH PortEnter the port number that the SSH server uses. The default value is 22.

Maximum SessionsEnter the maximum number of concurrent SSH sessions allowed. The minimum number is 1. The default number is 4. The maximum number is 10. The maximum number of concurrent SSH sessions is also limited by the maximum number of Telnet connections configured on the Configuration | System | Management Protocols | Telnet screen.

Key Regeneration PeriodEnter the server key regeneration period in minutes. If the server key has been used for an SSH session, the VPN Concentrator regenerates the key at the end of this period. The minimum is 0 minutes (which disables key regeneration), the default is 60 minutes, and the maximum is 10080 minutes (1 week). Use 0 (disable key regeneration) only for testing, since it lessens security.

Encryption ProtocolsCheck the Encryption Protocols check boxes for the encryption algorithms that the VPN Concentrator SSH server can negotiate with a client and use for session encryption. You must check at least one encryption algorithm to enable a secure session. Unchecking all algorithms disables SSH.

• 3DES-168 = Triple-DES encryption with a 168-bit key. This option is the most secure but requires the greatest processing overhead.

• RC4-128 = RC4 encryption with a 128-bit key. This option provides adequate performance and security.

• DES-56 = DES encryption with a 56-bit key. This option is least secure but provides the greatest export flexibility.

• No Encryption = Connect without encryption. This option provides no security and is for testing only. It is unchecked by default.

Note The VPN Concentrator does not support the IDEA or Blowfish algorithms.

Enable SCPCheck the Enable SCP check box to enable file transfers using secure copy (SCP) over SSH.

Apply / CancelTo apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | SSL

Reminder:



Configuration | Tunneling and Security | SSLThis screen lets you set Secure Socket Layer (SSL) options for management and for WebVPN remote access sessions.

SSL creates a secure session between the remote access user, also called a client, and the VPN Concentrator. The user first authenticates the Concentrator, they negotiate session security parameters, and then they encrypt all data passing during the session. If, during negotiation, they cannot agree on security parameters, the session terminates.

SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been issued in a PKI context. This certificate must then be installed in the client. You need to install the certificate from a given VPN Concentrator only once.

Figure 15-17 Configuration | Tunneling and Security | SSL Screen

HTTPSHTTPS, also known as HTTP over SSL, lets you use a web browser over a secure, encrypted connection to communicate with and manage the VPN Concentrator.

To use WebVPN, you must enable HTTPS.

Click HTTPS to disable or enable HTTPS and configure the HTTPS port and client authentication.

ProtocolsClick Protocols to configure


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | SSL | HTTPS

• The encryption algorithms that the VPN Concentrator SSL server can negotiate with a client to use for session encryption.

• The SSL version to use.

Configuration | Tunneling and Security | SSL | HTTPSThis screen lets you configure HTTPS (HTTP over SSL). HTTPS lets you use a web browser over a secure, encrypted connection to manage the VPN Concentrator.

SSL creates a secure session between the client and the VPN Concentrator server. The client first authenticates the server, they negotiate session security parameters, and then they encrypt all data passed during the session. If, during negotiation, the server and client cannot agree on security parameters, the session terminates.

SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been issued in a PKI context. For HTTPS, this certificate must then be installed in the client. You need to install the certificate from a given VPN Concentrator only once.

Note To ensure the security of your connection to the VPN Concentrator Manager, clicking Apply on this screen—even if you have made no changes—breaks your connection to the Manager and you must restart the Manager session from the login screen.


• For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see Chapter 1, “Using the VPN Concentrator Manager”.

• To manage SSL digital certificates, see the Administration | Certificate Management screens.

Using digital certificates to authenticate clients requires several steps. See the section that follows, “Client Authentication,” for instructions.

Figure 15-18 Configuration | Tunneling and Security | SSL | HTTPS Screen


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | SSL | HTTPS

Enable HTTPSCheck the Enable HTTPS check box to enable the HTTPS server. The box is checked by default. HTTPS lets you use the VPN Concentrator Manager over an encrypted connection. WebVPN connections require HTTPS.

HTTPS PortEnter the port number that the HTTPS server uses. The default value is 443.

Note The VPN Concentrator Manager requires either the HTTP or HTTPS server. Clicking Apply, even if you have made no changes on this screen, breaks your HTTP/HTTPS connection and you must restart the Manager session from the login screen.

If you disable either HTTP or HTTPS, and that is the protocol you are currently using, you can reconnect with the other protocol if it is enabled and configured.

If you disable both HTTP and HTTPS, you cannot use a web browser to connect to the VPN Concentrator. Use the Cisco VPN Concentrator Command Line Interface from the console or a Telnet session.

Client AuthenticationCheck the Client Authentication check box to enable SSL client authentication with digital certificates. The box is unchecked by default. In the most common SSL connection, the client authenticates the server, not vice-versa.

Client authentication requires a personal certificate installed in the browser, and a trusted certificate installed in the server. Specifically, the VPN Concentrator must have a root CA certificate installed; and a certificate signed by one of the VPN Concentrator’s trusted CAs must be installed in the web browser on the PC you are using to manage the VPN Concentrator. See Administration | Certificate Management for instructions on enrolling with a CA and installing digital certificates.

You must also configure a RADIUS authorization server, and set values for several parameters in the Configuration | User Management | Base Group/Groups tab.

Configuring a RADIUS or LDAP Server

To authenticate WebVPN users with digital certificates, you must configure an external RADIUS or LDAP authorization server and identify it on the VPN Concentrator. See Configuration | System | Servers | Authorization | Add/Modify.

Setting Authentication and Authorization Values

To authenticate WebVPN users with digital certificates, you must configure four parameters on the Configuration | User Management | Base Group/Groups | IPSec tab. These parameters are:

• Authentication: Set the value to None.

• Authorization Type: Set the value to RADIUS or LDAP.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | SSL | Protocols

• Authorization Required: Check the box.

• DN Field: Users authenticate according to the value in the field you select. For example, if the DN field on the VPN Concentrator is CN, and the CN field on the client certificate is John Doe, the VPN Concentrator sends the entire string, “CN=John Doe” to the authorization server.

Note When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA does not have the ability to access the web browser’s keystore; therefore JAVA can not use the certificates that the browser used for user authentication, and the application cannot start.

Apply / CancelTo apply your HTTPS settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security screen.

Reminder:



Configuration | Tunneling and Security | SSL | ProtocolsThis screen lets you configure the encryption algorithms and SSL versions that the VPN Concentrator SSL server can negotiate with a client and use for session encryption.

Figure 15-19 Configuration | Tunneling and Security | SSL | Protocols Screen

Encryption ProtocolsCheck the Encryption Protocols check boxes for the encryption algorithms that the VPN Concentrator SSL server can negotiate with a client and use for session encryption. All are checked by default. You must check at least one algorithm to enable SSL. Unchecking all algorithms disables SSL.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | SSL | Protocols

The algorithms are negotiated in the order shown. You cannot change the order, but you can enable or disable selected algorithms.

• 3DES-168/SHA = Triple-DES encryption with a 168-bit key and the SHA-1 hash function. This is the strongest (most secure) option.

• RC4-128/MD5 = RC4 encryption with a 128-bit key and the MD5 hash function. This option is available in most SSL clients.

Note For WebVPN connections, RC4 encryption reduces performance dramatically.

• DES-56/SHA = DES encryption with a 56-bit key and the SHA-1 hash function.

SSL VersionClick the drop-down menu button and choose the SSL version to use. The versions used must match on both sides of the connection.

SSL Version 3 has more security options than Version 2, and TLS (Transport Layer Security) Version 1 has more security options than SSL Version 3. Some clients that send an SSL Version 2 “Hello” (initial negotiation), can actually use a more secure version during the session.

Choices are:

• Negotiate SSL V3/TLS V1 = The server tries to use SSL Version 3 but accepts TLS V1 if the client cannot use Version 3. It works with most browsers and Telnet/SSL clients. This is the default choice.

• Negotiate SSL V3 = The server tries to use SSL Version 3, but can accept a less secure option.

• SSL V3 Only = The server insists on SSL Version 3 only, which means that the client or browser must be configured for SSL V3 or the session cannot occur.

• TLS V1 Only = The server insists on TLS Version 1 only, which means that the client or browser must be configured for TLS V1 or the session cannot occur. At present, only Microsoft Internet Explorer 5.0 supports this option.

• Negotiate TLS V1 = The server tries to use TLS V,1 but can accept a less secure option.

Note TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:

The issue is that JAVA only negotiates SSLv3 in the Client Hello packet when you launch the Port Forwarding application.

Negotiate SSLv3 Java downloads

Negotiate SSLv3/TLSv1 Java downloads

Negotiate TLSv1 Java does NOT download

TLSv1Only Java does NOT download

SSLv3Only Java does NOT download


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN

Apply / CancelTo apply your Encryption settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security screen.

Reminder:



Configuration | Tunneling and Security | WebVPNThis screen lets you configure access to resources for WebVPN users, and the appearance of WebVPN remote access sessions.

In the left frame, or in the list below, click the function you want to configure.

• HTTPS Proxy: the external proxy addresses to which all HTTP and HTTPS WebVPN addresses should be redirected.

• Home Page: the appearance of the home page for all WebVPN sessions.

• Logo: the logo to display for WebVPN sessions.

• E-mail Proxy: protocols and parameters for e-mail proxy sessions.

• Servers and URLs: file servers, e-mail servers, e-mail proxy servers, and URLs accessible over a WebVPN connection.

• Port Forwarding: access for remote users to client/server applications that communicate over fixed TCP ports.

Figure 15-20 Configuration | Tunneling and Security | WebVPN Screen


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security |WebVPN | HTTP/HTTPS Proxy

Configuration | Tunneling and Security |WebVPN | HTTP/HTTPS Proxy

The VPN Concentrator can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. These servers act as an intermediary between users and the Internet. Requiring all Internet access via a server the organization controls provides another opportunity for filtering to assure secure Internet access and administrative control.

Figure 15-21 Configuration | Tunneling and Security | WebVPN | HTTPS Proxy Screen

HTTP ProxyEnter the external HTTP proxy server IP address to which all WebVPN HTTP requests should be directed. Accept the default value, 0.0.0.0, if you do not want to configure an external HTTP proxy server.

HTTP Proxy PortEnter the port for the external HTTP proxy to use. The default is port 80.

HTTPS ProxyEnter the external HTTPS proxy server IP address to to which all WebVPN HTTPS requests should be directed. Accept the default value, 0.0.0.0, if you do not want to configure an external HTTPS proxy server.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN | Home Page

HTTPS Proxy PortEnter the port for the external HTTP proxy to use. The default is port 443.

Default Idle TimeoutEnter the amount of time, in minutes, that a WebVPN session can be idle before the system terminates it. This idle timeout applies only if the Idle Timeout value in the user’s group is set to zero (0); otherwise the group Idle Timeout value takes precedence over the timeout you configure here. The minimum value you can enter is 1 minute. The default is 30 minutes.

We recommend that you set this parameter to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the Administration | Administer Sessions database. If the Maximum Sessions parameters is set to one, the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.

Apply / CancelTo apply your settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.

Configuration | Tunneling and Security | WebVPN | Home PageThis screen lets you customize the appearance of the WebVPN user interface. By default the user interface displays the Cisco Systems logo and the title, “VPN 3000 Concentrator.” You can change the logo at the Configuration | Tunneling and Security | WebVPN | Web Logo page. In this screen you can change the title, login message, and screen and text colors. The Sample Display screen previews your color changes.


78-15731-01


Figure 15-22 Configuration | Tunneling and Security | WebVPN | Home Page Screen

TitleEnter a title for the WebVPN user interface by overwriting the default title. The title can have a maximum of 255 characters, including spaces. You can use ASCII characters, including new line (the Enter key, which counts as two characters).

Login MessageYou can create a message that users see on their screen when they enter their username and password to enter the site.

• To accept the default message, “Please enter your username and password,” skip this field.

• To create your own message, overwrite the existing text. The length of your message can be up to 255 characters.

Title Bar ColorTo change the color of the title bar, enter a new color in one of the following formats:

• Name = the word that identifies the color. The name you enter must match exactly an RGB (red, green, blue) name.


78-15731-01


• RGB (0,0,0) = range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

• HTML(#000000) = the RGB value expressed with six digits in hexadecimal format. The first and second represent red; the third and fourth green; and the fifth and sixth represent blue.

Note The number of RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published RGB tables. To find RGB tables online, enter RGB in a search engine.

Title Bar TextChoose a color for title bar text. the options are Black, White, and Auto. Auto displays black or white, depending on the Title Bar color.

Secondary Bar ColorTo change the color of the secondary bar, enter the color name or RGB or HTML value for the new color.

Secondary Bar TextChoose a color for secondary bar text. the options are Black, White, and Auto. Auto displays black or white, depending on the Secondary Bar color.

Sample Display This field displays the current color choices for WebVPN screens and text. It is dynamic, changing automatically after you have changed a value in any field.

Note The Sample Display does not work properly with Netscape 4.x.

Apply / CancelTo apply your Home Page settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.

Reminder:




78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN | Logo

Configuration | Tunneling and Security | WebVPN | LogoThe Cisco Systems logo displays by default on WebVPN user screens. You can customize your end-user interface by uploading a new logo, or by using no logo.

Figure 15-23 Configuration | Tunneling and Security | WebVPN | Web Logo Screen

No LogoSelect No Logo if you don’t want the end-user WebVPN screens to display a logo.

Use Cisco’s logoAccept the default, Use Cisco’s logo, to display the Cisco logo on the end-user WebVPN screens.

Upload a new logo To customize the end-user WebVPN screens with a new logo, follow these steps:

Step 1 Add the desired logo file to the computer you are using to manage the VPN Concentrator. The size of the logo should be less than 100 x 100 pixels. Valid filetypes are JPEG, GIF, and PNG.

Step 2 Select Upload a new logo, and click the Browse button to locate and select the logo.

Step 3 Click Apply.

The Manager displays a Success message (Figure 15-24).


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN | Logo

Figure 15-24 Logo Upload Success Screen

Step 4 Click Click here to see the logos.

Step 5 The Manager displays the Configuration | Tunneling and Security | WebVPN | Web Logo screen, which now shows the new, uploaded log (Figure 15-25).

Figure 15-25 Configuration | Tunneling and Security | WebVPN | Web Logo Screen with Uploaded Logo

Step 6 To display the new logo on the end-user WebVPN home page, select Use uploaded logo, and click Apply.

Note If you later want to change to another logo, you can upload a new logo, which overwrites the current uploaded logo.

Apply / CancelTo apply your Web Logo settings, and to include your settings in the active configuration, click Apply. If you have uploaded a new logo, the Manager displays a Success message, the uploaded logo, and The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN | E-Mail Proxy

Reminder:



If the upload does not succeed, the Manager displays a Logo Upload Error screen.

Figure 15-26 Logo Upload Error Screen

Configuration | Tunneling and Security | WebVPN | E-Mail ProxyThis screen lets you configure e-mail proxies for WebVPN. They include IMAP4S, POP3S, and SMTPS. WebVPN e-mail proxy has requirements in addition to the configuration parameters on this screen. These include:

• Users who access e-mail from both local and remote locations via e-mail proxy require separate e-mail accounts on their e-mail program for local and remote access.

• When users attempt an e-mail session via e-mail proxy, the e-mail client establishes a tunnel using the SSL protocol, and then requires that the user authenticate.


78-15731-01


Figure 15-27 Configuration | Tunneling and Security | WebVPN | E-Mail Screen

VPN Name DelimiterUse the drop-down menu to select a delimiter that separates the VPN username from the e-mail username. Users need both usernames when using Concentrator authentication for e-mail proxy and the VPN username and e-mail username are different. Users enter both usernames, separated by the delimiter you configure here, and also the e-mail server name, when they log in to an e-mail proxy session.

Note Passwords forWebVPN e-mail proxy users cannot contain characters that are used as delimiters.

Server DelimiterUse the drop-down menu to select a delimiter that separates the username from the name of the e-mail server. It must be different from the VPN Name Delimiter. Users enter both their username and server in the username field when they log in to an e-mail proxy session.

For example, using : as the VPN Name Delimiter and @ as the Server Delimiter, when logging in to an e-mail program via e-mail proxy, the user would enter their username in the format vpn password:e-mail password@server

E-Mail ProtocolWebVPN supports three e-mail proxies: POP3S and IMAP4S for receiving e-mail, and SMPTS for sending e-mail.


78-15731-01


Note To use these e-mail proxies, you must also allow these session types on the appropriate VPN Concentrator interface (Configuration | Interfaces | Ethernet 1,2,3 | WebVPN tab).

POP3S

POP3S is one of the e-mail proxies WebVPN supports. By default the VPN Concentrator listens to port 995, and connection are automatically allowed to port 995 or to the configured port. The POP3 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the POP3 protocol starts, and then authentication occurs.

IMAP4S

IMAP4S is one of the e-mail proxies WebVPN supports. By default the VPN Concentrator listens to port 993, and connection are automatically allowed to port 993 or to the configured port. The IMAP4 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the IMAP4 protocol starts, and then authentication occurs.

SMTPS

SMTPS is one of the e-mail proxies WebVPN supports. By default the VPN Concentrator listens to port 988, and connection are automatically allowed to port 988 or to the configured port. The SMTPS proxy allows only SSL connections on that port. After the SSL tunnel establishes, the SMTPS protocol starts, and then authentication occurs.

SMTPS is the only one of these e-mail proxies that lets you send e-mail.

VPN Concentrator PortIdentifies the port on the VPN Concentrator that each e-mail proxy uses. You can change the port for any or all of the e-mail proxies. Be aware that the remote PC in a WebVPN connection may be using different ports for e-mail proxy traffic than the ports you configure for the VPN Concentrator.

Default E-Mail ServerEnter the name of the default server for the e-mail proxy you are configuring.

Authentication RequiredEach e-mail proxy has several different method that you can use to authenticate users. You can require them either singly or in combination, but you must configure at least one authentication method for an e-mail protocol.

E-Mail Server

Mail server authentication requires only the user’s e-mail username, server and password. IMAP4S and POP3S both require mail server authentication; you cannot uncheck these boxes.


78-15731-01


Concentrator

Concentrator authentication authenticates the e-mail session by using its configured authentication servers. The user presents a username, server and password. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other.

Piggyback HTTPS

This authentication scheme requires a user to have already established a WebVPN session. The user presents an e-mail username only. No password is required. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other.

SMPTS e-mail most often uses piggyback authentication because most SMTP servers do not allow users to log in.

Piggyback HTTPS and IMAP Sessions

IMAP generates a number of sessions that are not limited by the simultaneous user count but do count against the number of simultaneous logins allowed for a username. If the number of IMAP sessions exceeds this maximum and the WebVPN connection expires, a user cannot subsequently establish a new connection.

There are several solutions:

• The user can close the IMAP application to clear the sessions with the VPN Concentrator, and then establish a new WebVPN connection.

• The administrator can increase the simultaneous logins for IMAP users (Configuration | User Management | Base Group/Groups/Users | Add/Modify | General tab.

• Disable HTTPS/Piggyback authentication for e-mail proxy.

Certificate

Certificate authentication requires that users have a certificate that the VPN Concentrator can validate during SSL negotiation. You can use ertificate authentication as the only method of authentication, for SMTPS proxy. Other e-mail proxies require two authentication methods.

Certificate authentication requires three certificates, all from the same CA:

• A CA certificate on the VPN Concentrator

• A CA certificate on the client PC

• A Web Browser certificate on the client PC, sometimes called a Personal certificate or a Web Browser certificate.

E-mail proxy with certificate authentication does not work with Internet Explorer (IE). It does work with Netscape (Cisco tested using version 7.1), and with Mozilla (Cisco tested using version 1.2.1).

The following steps show you how to request and install these certificates. For complete instructions on enrolling and installing CA certificates, see Chapter 11, “Certificate Management.”

Step 1 If the VPN Concentrator does not already have a CA certificate installed, install a CA certificate.


78-15731-01


• The CA must be the same one that you are using to issue the CA and Web Browser certificates on the client PC.

• The certificate must be base-64 encoded.

• Use a Netscape or Mozilla browser to install the CA certificate, If you use IE, the certificate downloads to the IE Crypto Application Program Interface (CAPI); it must be in the CAPI for the browser you are actually using.

Step 2 Open the certificate using the Netscape or Mozilla Certificate Manager before importing it onto the VPN Concentrator.

Step 3 In the Downloading Certificates screen, make sure that the CA is trusted to identify websites and e-mail users (trusting software developers is optional). Alternatively, when the CA certificate has been loaded onto the concentrator, check the details of the certificate to ensure these trusted attributes are enabled.

Step 4 On the client PC, use a Netscape or Mozilla browser to request a CA certificate from the same certificate authority.

Step 5 On the client PC, request a Personal or Web Browser certificate from the same certificate authority. Complete the fields on the request form as follows:

• The certificate request must be for a Web Browser or Personal Certificate, not an E-mail Protection Certificate.

E-mail protection certificates are not for SSL connections; they are for encrypting and sending e-mail. Web Browser certificates protect the e-mail session over SSL.

• Name = account name, for example, JohnDoe.

• E-Mail = e-mail address being authenticated, for example, [email protected].

• Key strength Cisco tested = 1024; any of the choices should work.

• Password is optional, and applies only to the certificate for export purposes.

Step 6 When the certificate is generated, choose Install Certificate. In some cases, the CAs installs it automatically.

Step 7 To verify that the certificate is installed, use the Netscape Certificate Management application. The path is Edit > Preferences > Privacy and Security > Certificates > Manage Certificates > Your Certificates.

Step 8 On the Configuration | Tunneling and Security | WebVPN | E-Mail Proxy screen, for Authentication Required, select E-Mail Server and Certificate.

Apply / CancelTo apply your E-mail settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security |WebVPN | Servers and URLs

Configuration | Tunneling and Security |WebVPN | Servers and URLs

This screen lets you configure access to network resources for WebVPN users who are not in a group. Values you set here apply globally, and are the equivalent of base group parameters. The HTML interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.


Figure 15-28 Configuration | Tunneling and Security | WebVPN | Servers and URLs Screen

Servers and URLsThis box lists all the servers and URLs that are accessible to users in the Base Group. The types of servers you configure here include HTTP and file servers; these are for file shares, internal websites, e-mail proxies, and e-mail servers.

The user home page displays all servers and URLs that you configure here as hotlinks.

AddTo configure and add a new Server and URL to the list of Servers and URLs, click the Add button. See Configuration | Tunneling and Security | WebVPN | Servers and URLs | Add.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN | Servers and URLs |Add or Modify

ModifyTo modify a configured Server and URL, select it and click the Modify button. See Configuration | Tunneling and Security | WebVPN | Servers and URLs | Modify. Modifying a server does not affect connections currently using it, but changes do affect subsequent connections.

DeleteTo delete a configured Server or URL, select it and click the Delete button.The Manager refreshes the screen and shows the remaining servers and URLs in the list. Otherwise, there is no confirmation or undo.

Servers or URLs that you delete remain visible to current end users; they refresh when the user next logs in.

Reminder:


Configuration | Tunneling and Security | WebVPN | Servers and URLs |Add or Modify

This screen lets you configure servers and URLs that users in the Base Group can access through a WebVPN connection. The types of servers you configure here include web servers and file servers which provide the following resources:

• file shares

• internal websites

• e-mail proxies

• e-mail servers

The home page for users who are not members of a group displays all servers that you configure here. If you configure no servers or URLs, none are available to these users.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN | Servers and URLs |Add or Modify

Figure 15-29 Configuration | Tunneling and Security | WebVPN | Servers and URLs | Add Screen

NameEnter a short name or description that identifies this resource to end users.

Server TypeSelect the type of server you are configuring.

• CIFS servers are file servers using NETBIOS names

• HTTP servers are web servers.

• HTTPS servers are SSL encrypted web servers.

Remote ServerEnter the URL, DNS name, or network path of the remote server for end users to access.


• To add this server or URL to the list of Servers and URLs click Add or Apply. The Manager returns to the Configuration | Tunneling and Security | WebVPN | Servers and URLs screen. The server or URL you configured now displays in the list.

Modify screen:

• To apply your changes to a server or URL, click Apply. The Manager returns to the Configuration | Tunneling and Security | WebVPN | Servers and URLs screen.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security |WebVPN | Port Forwarding

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Tunneling and Security | WebVPN | Servers and URLs screen.

To discard your settings, click Cancel. The Manager returns to the Configuration | The Manager returns to the Configuration | Tunneling and Security | WebVPN screen.

Configuration | Tunneling and Security |WebVPN | Port Forwarding

WebVPN Port Forwarding provides access for remote users to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access remote servers that support those applications.



• Telnet

• SSH


• Perforce

• Outlook/Outlook Express

• Lotus Notes

• XDDTS

• Sametime Instant Messaging


This feature requires installing Sun Microsystems Java™ Runtime Environment and configuring applications on the end user’s PC. Both require administrator permissions. It is therefore unlikely that users will be able to use applications when they connect from public remote systems, such as Internet kiosks or web cafes.

Note When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA cannot access the web browser’s keystore; therefore JAVA cannot use the certificates that the browser used for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.

Note Port Forwarding does not work with some SSL/TLS versions. See Configuration | Tunneling and Security | SSL | Protocols | SSL Version field for more information.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security |WebVPN | Port Forwarding

Figure 15-30 Configuration | Tunneling and Security | WebVPN | Port Forwarding Screen

Forwarded PortsThis box lists all the applications that users in this group can access over a WebVPN connection. The format is:

Application name (Local TCP port -> Remote application server name or IP address:Remote TCP port).

AddTo configure and add a new forwarded port, click the Add button. See Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add.

ModifyTo modify a configured forwarded port, select it and click the Modify button. See Configuration | Tunneling and Security | WebVPN | Port Forwarding | Modify.

DeleteTo delete a configured forwarded port, select it and click the Delete button. The Manager refreshes the screen and shows the remaining forwarded ports in the list.


78-15731-01

Chapter 15 Tunneling and SecurityConfiguration | Tunneling and Security | WebVPN | Port Forwarding |Add or Modify

Reminder:


Configuration | Tunneling and Security | WebVPN | Port Forwarding |Add or Modify

These screens let you add or modify global access to TCP-based applications for WebVPN users. You provide mapping information that the VPN Concentrator adds to the Hosts file on a user’s PC as the application opens. This mapping information lets the PC connect to the server at the central site that supports the desired application.

• For the user’s PC you configure the Local TCP Port for the application.

• For the server the user needs to access, you configure the Remote Server and Remote TCP Port.

Port forwarding can work only if the applications on remote servers are uniquely identified, and therefore reachable, either by hostname or by IP address and port.

• Hostnames, correctly defined on the VPN Concentrator global DNS servers, are constant, and are by definition unique. We recommend that you use hostnames.

• IP addresses change depending on the end user’s location relative to the remote server. If you identify the remote server by IP address, users must reconfigure the application on their PC each time they change location. See the task, “Using Applications,” in Table B-2, “WebVPN Remote System Configuration and End User Requirements,”for information on reconfiguring client applications when using IP addresses rather than hostnames.

You can have a maximum of 252 port forwarding entries.

Note When you configure the VPN Concentrator global DNS server, use fully qualified domain names.

Figure 15-31 Configuration | Tunneling and Security | WebVP N | Port Forwarding | Add/Modify


78-15731-01


NameEnter a name or description by which remote users can readily identify the service or application.

Local TCP PortAssign a TCP port on the user’s PC for this application to use. In the PC’s hosts file, the VPN Concentrator appends this local TCP port to the PC’s loopback IP address. This is how it uniquely names an application when the remote server is identified by IP address. If the you use a hostname to identify the remote server, the VPN Concentrator appends the hostname to the loopback address, and ignores the local TCP port value.

Set the port in the range from 1024 to 65535 to avoid conflicts with existing services that may be on the user's workstation.

Remote ServerEnter the hostname or IP address of the remote server that supports this service or application.

While the VPN Concentrator accepts either IP addresses or hostnames, we recommend using hostnames because it is easier. If you use hostnames, you do not have to change the IP address of the server for client applications depending on whether the user is accessing these application locally or remotely. The following sections explain why this is so.

Using Hostnames vs. IP Addresses

When you use a hostname to identify a remote server, the JAVA applet modifies the WebVPN Application Access hosts file (assuming the OS is Windows, and you have administrative privileges on the PC) to create an entry for each application server. For example, when you configure your first Port Forwarding remote server with hostname johndoew2ksrv, the Java applet creates a backup copy of the original hosts file, and then modifies the hosts file to include a WebVPN entry that maps johndoew2ksrv to a loopback IP address of 127.0.0.2. If your second port forwarding entry is NotesServer, the JAVA applet adds to the hosts file an entry that maps NotesServer to 127.0.0.3. These entries are then associated with the real remote application ports. Each entry is unique by virtue of the loopback address the JAVA applet assigns.

When you use an IP address to identify the remote server, the JAVA applet does not back up or modify the hosts file. It assigns each server the loopback IP address of 127.0.0.1 and the TCP port that is configured as the Local TCP Port. Since the assigned IP address is always 127.0.0.1, each entry must have a unique Local TCP Port to differentiate applications.

You configure client applications to communicate to a server address. When you use the hostname and remote TCP port, addressing information for application servers is the same regardless of the user’s location. When you use an IP address and local TCP port, addressing information changes as the user changes locations, and you have to reconfigure client applications on users’ PCs.

To summarize:

If you use IP addresses, users need to have client applications point to a 127.0.0.1 address and local port that can vary from location to location when connecting over WebVPN. They must reconfigure applications to a real IP address and port when they connect locally.

If you use hostnames, users can set their client applications to connect to the real hostname and TCP port for both remote WebVPN and directly connected sessions.


78-15731-01


Remote TCP PortEnter the TCP/IP port for the client PC to use for this service or application. This is the real TCP port for the application; for example, the 23 is the well-known port for Telnet.


• To add this port to the list of Forwarded Ports, click Add or Apply. The Manager returns to the Configuration | Tunneling and Security | WebVPN | Port Forwarding screen. The port you configured now displays in the list.

Modify screen:

• To apply your changes to a forwarded port, click Apply. The Manager returns to the Configuration | Tunneling and Security | WebVPN | Port Forwarding screen.

Reminder:


To discard your settings, click Cancel. The Manager returns to the Configuration | Tunneling and Security | WebVPN | Port Forwarding screen.

The WebVPN Application Access WindowTo use applications over WebVPN, an end user clicks Application Access on the WebVPN home page. A Java applet opens the Application Access window, see Figure 15-32 for an example. This window displays the port forwarding applications previously configured in the Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add/Modify screens.

Figure 15-32 Example of a WebVPN Application Access Window


78-15731-01


Application Access Window Fields

The fields in the Application Access window provide the following information.

Name

Identifies the application. This is the name that you assign in the Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add/Modify screen.

Local

The hostname or IP address and TCP port on the user’s PC that this application uses.

Remote

The hostname or IP address and port of the remote server that supports this service or application.

Note If you use hostnames for the Remote Server parameter in the Configuration | Tunneling and Security | WebVPN Port Forwarding | Add/Modify screen, the values in the Local and Remote fields in the Application Access window are identical. See the section, “Using Hostnames vs. IP Addresses” to understand why it is simpler to use hostnames.

Bytes Out/In

Records data traffic for the application in the current session.

Sockets

The number of sockets for the application in the current session.

About the Hosts File WebVPN provides access to TCP-based applications by mapping application-specific ports on the end user’s PC to application-specific ports on servers behind the VPN Concentrator. When an end user accesses an application over WebVPN using hostnames to identify the application server, the VPN Concentrator modifies the Hosts file to include a mapping entry for that application.

Figure 15-33 provides an example of what the Hosts file would look like for the applications configured for the WebVPN session in Figure 15-32 above. Notice that the Hosts file has entries for the application servers identified by hostnames. The Hosts file does not record those identified by IP address.

Find the hosts file on your PC in WINDOWS > SYSTEM32 > DRIVERS > ETC.


78-15731-01


Figure 15-33 Example of a Hosts File


78-15731-01



78-15731-01

VPN 3000 Series Concent78-15731-01

A P P E N D I X A
Configuring an External Server for VPN Concentrator User Authorization
The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.

If you are configuring an LDAP server, see “Configuring an External LDAP Server.”

If you are configuring a RADIUS server, skip ahead to “Configuring an External RADIUS Server.”

Configuring an External LDAP Server

Note For more information on the LDAP protocol, refer to RFCs 1777, 2251, and 2849.

An LDAP server stores information as entries in a directory. An LDAP schema defines what types of information can be stored in those entries. The schema lists classes and the set of (required and optional) attributes that objects of each class may contain.

To configure your LDAP server to interoperate with the VPN Concentrator, define a VPN Concentrator authorization schema. A VPN Concentrator authorization schema defines the class and attributes of that class that the VPN Concentrator supports. Specifically, it comprises the object class (cVPN3000-User-Authorization) and all its possible attributes that may be used to authorize a VPN Concentrator user (such as access hours, primary DNS, and so on). Each attribute comprises the attribute name, its number (called an object identifier or OID), its type, and its possible values.

Once you have defined the VPN Concentrator authorization schema and loaded it on your server, define the VPN Concentrator attributes and permissions and their respective values for each user who will be authorizing to the server.

A-1rator Reference Volume I: Configuration

Appendix A Configuring an External Server for VPN Concentrator User AuthorizationConfiguring an External LDAP Server

In summary, to set up your LDAP server:

• Design your VPN Concentrator LDAP authorization schema based on the hierarchal set-up of your organization

• Define the VPN Concentrator authorization schema

• Load the schema on the LDAP server

• Define each user’s permissions on the LDAP server

The specific steps of these processes vary, depending on which type of LDAP server you are using.

Designing the VPN Concentrator LDAP SchemaBefore you actually create your schema, think about how your organization is structured. Your LDAP schema should reflect the logical hierarchy of your organization.

For example, suppose an employee at your company XYZ Corporation is named Joe. Joe works in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a shallow, single-level hierarchy in which Joe is considered a member of XYZ corporation. Or, you could set up a multi-level hierarchy in which Joe is considered to be a member of the department Engineering, which is a member of an organizational unit called People, which is itself a member of XYZ Corporation. See Figure A-1 for an example of this multi-level hierarchy.

A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.

Figure A-1 A Multi-Level LDAP Hierarchy

8769

6

XYZCorporation.com Enterprise LDAP Hierarchy

dc=XYZCorporation, dc=com Root/Top

People Equipment OU=Organization Units

Engineering Marketing HR Groups/Departments

cn=joe cn=bob cn=george Userscn=ann_smith

A-2VPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01


Searching the Hierarchy

The VPN Concentrator allows you to tailor the search within the LDAP hierarchy. You configure the following three fields on the VPN Concentrator to define where in the LDAP hierarchy your search begins, its extent, and the type of information it is looking for. Together these fields allow you to limit the search of the hierarchy to the just part of the tree that contain the user permissions.

• LDAP Base DN = This field defines where in the LDAP hierarchy the server should begin searching for user information when it receives an authorization request from the VPN Concentrator.

• Search Scope = This field defines the extent of the search in the LDAP hierarchy.The search proceeds this many levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the level immediately below, or it can search the entire subtree. A single level search is quicker, but a subtree search is more extensive.

• Naming Attribute(s) = This field defines the Relative Distinguished Name (RDN) that uniquely identifies an entry in the LDAP server. Common naming attributes are: cn (Common Name) and ui (user identification).

Figure A-1 shows a possible LDAP hierarchy for XYZ Corporation. Given this hierarchy, you could define your search in different ways. Table A-1 shows two possible search configurations.

In the first example configuration, when Joe establishes his IPSec tunnel with LDAP authorization required, the VPN Concentrator sends a search request to the LDAP server indicating it should search for Joe in the Engineering group. This search will be quick.

In the second example configuration, the VPN Concentrator sends a search request indicating the server should search for Joe within XYZ Corporation. This search will take longer.

Authorizing the VPN Concentrator to the LDAP Server

Some LDAP servers (including the Microsoft Active Directory server) require the VPN Concentrator to establish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The VPN Concentrator identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the VPN Concentrator’s authentication characteristics; these characteristics should correspond to those of a user with administration privileges. An example Login DN field could be: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com.

Table A-1 Example Search Configurations

# LDAP Base DNSearch Scope

Naming Attribute Result

1 group= Engineering,ou=People,dc=XYZCorporation,dc=com One Level cn=Joe Quicker search

2 dc=XYZCorporation,dc=com Subtree cn=Joe Longer search


78-15731-01


Defining the VPN Concentrator LDAP SchemaOnce you have decided how to structure your user information in the LDAP hierarchy, define this organization in a schema. To define the schema, begin by defining the object class name. The class name for the VPN Concentrator directory is: cVPN3000-User-Authorization. The class has the object identifier (OID): 1.2.840.113556.1.8000.795.1.1. Every entry or user in the directory is an object of this class.

Some LDAP servers (for example, the Microsoft Active Directory LDAP server) do not allow you to reuse the class OID, once you have defined it. Use the next incremental OID. For example, if you incorrectly defined the class name as “cVPN3000-Usr-Authrizaton” with OID “1.2.840.113556.1.8000.795.1.1,” you can enter the correct class name “cVPN3000-User-Authorization” with the next OID, for example: 1.2.840.113556.1.8000.795.1.2.

For the Microsoft Active Directory LDAP server, define the schema in text form in a file using the LDAP Data Interchange Format (LDIF). This file has an extension of .ldif, for example: schema.ldif. Other LDAP servers use graphical user interfaces or script files to define the object class and its attributes.

All schema attributes that the VPN Concentrator supports begin with the letters “cVPN3000”; for example: cVPN3000-Access-Hours. For a complete list of attributes, see Table A-2.

All strings are case-sensitive.

Table A-2 VPN Concentrator Supported LDAP Authorization Schema Attributes

Attribute NameOID (Object Identifier)

Syntax/Type

Single or Multi-Valued Possible Values

cVPN3000-Access-Hours

1.2.840.113556.8000.795.2.1

String Single An octet string

cVPN3000-Simultaneous-Logins

1.2.840.113556.8000.795.2.2

Integer Single An integer

cVPN3000-Primary-DNS

1.2.840.113556.8000.795.2.3

String Single An IP address

cVPN3000-Secondary-DNS

1.2.840.113556.8000.795.2.4


cVPN3000-Primary-WINS

1.2.840.113556.8000.795.2.5


cVPN3000-Secondary-WINS

1.2.840.113556.8000.795.2.6


cVPN3000-SEP-Card-Assignment

1.2.840.113556.8000.795.2.7

Integer Single 1 = SEP1

2 = SEP2

3 = SEP3

4 = SEP4

15 = Any SEP


78-15731-01


cVPN3000-Tunneling-Protocols

1.2.840.113556.8000.795.2.8

Integer Single 1 = PPTP

2 = L2TP

3 = PPTP and L2TP

4 = IPSec

5 = PPTP and IPSec

6 = L2TP and IPSec

7 = PPTP-L2TP-IPSec

8 = L2TP/IPSec

9 = PPTP and L2TP/IPSec

10 = L2TP and L2TP/IPSec

11 = PPTP-L2TP-L2TP/IPSec

cVPN3000-IPSec-Sec-Association

1.2.840.113556.8000.795.2.9


cVPN3000-IPSec-Authentication

1.2.840.113556.8000.795.2.10

Integer Single 0 = None

1 = RADIUS

3 = NT Domain

4 = SDI

5 = Internal

6 = RADIUS with Expiry

7 = Kerberos/Active Directory

cVPN3000-IPSec-Banner1

1.2.840.113556.8000.795.2.11


cVPN3000-IPSec-Allow-Passwd-Store

1.2.840.113556.8000.795.2.12

Boolean Single TRUE = Allow

FALSE = Disallow

cVPN3000-Use-Client-Address

1.2.840.113556.8000.795.2.13

Boolean Single TRUE = Allow

FALSE = Disallow

Table A-2 VPN Concentrator Supported LDAP Authorization Schema Attributes (continued)


Syntax/Type



78-15731-01


cVPN3000-PPTP-Encryption

1.2.840.113556.8000.795.2.14

Integer Single 2 = 40 bits

3 = 40-Encryption-Req

4 = 128 bits


6 = 40 or 128

7 = 40 or 128 Encryption-Req

10 = 40 Stateless-Req

11 = Enc/Stateless-Req


13 = 128 Enc/Stateless-req

14 = 40/128-Stateless-Req

15 = 40/128-Enc/Stateless-Req

cVPN3000-L2TP-Encryption

1.2.840.113556.8000.795.2.15

Integer Single 2 = 40 bit


4 = 128 bits

5 = 128-Encr-Req

6 = 40 or 128

7 = 40 or 128-Encr-Req

10 = 40-Stateless-Req

11 = Encr/Stateless-Req


13 = 128-EncrStateless-Req


15 = 40/128-Encr/Stateless-Req

cVPN3000-IPSec-Split-Tunnel-List

1.2.840.113556.8000.795.2.16


cVPN3000-IPSec-Default-Domain

1.2.840.113556.8000.795.2.17


cVPN3000-IPSec-Split-DNS-Names

1.2.840.113556.8000.795.2.18


cVPN3000-IPSec-Tunnel-Type

1.2.840.113556.8000.795.2.19

Integer Single 1 = LAN-to-LAN

2 = Remote access

cVPN3000-IPSec-Mode-Config

1.2.840.113556.8000.795.2.20

Boolean Single TRUE = On

FALSE = Off



Syntax/Type



78-15731-01


cVPN3000-IPSec-User-Group-Lock

1.2.840.113556.8000.795.2.21


FALSE = Off

cVPN3000-IPSec-Over-UDP

1.2.840.113556.8000.795.2.22


FALSE = Off

cVPN3000-IPSec-Over-UDP-Port

1.2.840.113556.8000.795.2.23


cVPN3000-IPSec-Banner2

1.2.840.113556.8000.795.2.24


cVPN3000-PPTP-MPPC-Compression

1.2.840.113556.8000.795.2.25

Integer Single 1 = ON

2 = OFF

cVPN3000-L2TP-MPPC-Compression

1.2.840.113556.8000.795.2.26

Integer Single 0 = ON

1 = OFF

cVPN3000-IPSec-IP-Compression

1.2.840.113556.8000.795.2.27


1 = LZS

cVPN3000-IPSec-IKE-Peer-ID-Check

1.2.840.113556.8000.795.2.

Integer Single 1 = Required

2 = If supported by certificate

3 = Do not check

cVPN3000-IKE-Keep-Alives

1.2.840.113556.8000.795.2.29


FALSE = Off

cVPN3000-IPSec-Auth-On-Rekey

1.2.840.113556.8000.795.2.30


FALSE = Off

cVPN3000-Required-Client- Firewall-Vendor-Code

1.2.840.113556.8000.795.2.31

Integer Single 1 = Cisco Systems (with Cisco Integrated Client)

2 = Zone Labs

3 = NetworkICE

4 = Sygate

5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)



Syntax/Type



78-15731-01


cVPN3000-Required-Client-Firewall-Product-Code

1.2.840.113556.8000.795.2.32

Integer Single Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:

1 = Zone Alarm

2 = Zone AlarmPro

3 = Zone Labs Integrity

NetworkICE Product:

1 = BlackIce Defender/Agent

Sygate Products:

1 = Personal Firewall

2 = Personal Firewall Pro

3 = Security Agent

cVPN3000-Required-Client-Firewall-Description

1.2.840.113556.8000.795.2.33


cVPN3000-Require-HW-Client-Auth

1.2.840.113556.8000.795.2.34


FALSE = Off

cVPN3000-Require-Individual-User-Auth

1.2.840.113556.8000.795.2.35


cVPN3000-Authenticated-User-Idle-Timeout

1.2.840.113556.8000.795.2.36


cVPN3000-Cisco-IP-Phone-Bypass

1.2.840.113556.8000.795.2.37

Integer Single 2 = Enabled

3 = Disabled

cVPN3000-IPSec-Split-Tunneling-Policy

1.2.840.113556.8000.795.2.38

Integer Single 0 = Tunnel everything

1 = Only tunnel networks in list

2 = Policy Pushed CPP

4 = Policy from server

cVPN3000-IPSec-Required-Client-Firewall-Capability

1.2.840.113556.8000.795.2.39


1 = Policy defined by remote FW AYT

2 = Policy pushed CPP


cVPN3000-IPSec-Client-Firewall-Filter-Name

1.2.840.113556.8000.795.2.40

String Single An octet



Syntax/Type



78-15731-01


cVPN3000-IPSec-Client-Firewall-Filter-Optional

1.2.840.113556.8000.795.2.41

Integer Single 0 = Required

1 = Optional

cVPN3000-IPSec-Backup-Servers

1.2.840.113556.8000.795.2.42

String Single 1 = Use Client-Configured list

2 = Disabled and clear client list

3 = Use Backup Server list

cVPN3000-IPSec-Backup-Server-List

1.2.840.113556.8000.795.2.43


cVPN3000-Client-Intercept-DHCP-Configure-Msg

1.2.840.113556.8000.795.2.44

Boolean Single TRUE = Yes

FALSE = No

cVPN3000-MS-Client-Subnet-Mask

1.2.840.113556.8000.795.2.45


cVPN3000-Allow-Network-Extension-Mode

1.2.840.113556.8000.795.2.46

Boolean Single TRUE = Yes

FALSE = No

cVPN3000-Strip-Realm

1.2.840.113556.8000.795.2.47


FALSE = Off

cVPN3000-Cisco-AV-Pair

1.2.840.113556.8000.795.2.48

String Multiple An octet string in the following format:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]

For more information, see “Cisco -AV-Pair

Attribute Syntax.”.

cVPN3000-User-Auth-Server-Name

1.2.840.113556.8000.795.2.49


cVPN3000-User-Auth-Server-Port

1.2.840.113556.8000.795.2.50


cVPN3000-User-Auth-Server-Secret

1.2.840.113556.8000.795.2.51


cVPN3000-Confidence-Interval

1.2.840.113556.8000.795.2.52


cVPN3000-Cisco-LEAP-Bypass

1.2.840.113556.8000.795.2.53


cVPN3000-DHCP-Network-Scope

1.2.840.113556.8000.795.2.57

String Single IP address



Syntax/Type



78-15731-01


cVPN3000-Client-Type-Version-Limiting String Single An octet string

cVPN3000-WebVPN-Content-Filter-Parameters Integer Single 1 = Java & ActiveX

2 = Java scripts

4 = Images

8 = Cookies

Add the values to filter multiple parameters. For example: enter 10 to filter both Java scripts and cookies. (10 = 2 + 8)

cVPN3000-WebVPN-Enable-functions Integer Single 1 = URL entry

2 = File access

4 = File server entry

8 = File server browsing

16 = Web mail

32 = Port forwarding

64 = Outlook/Exchange Proxy

128 = ACL Apply

256 = Citrix support [Not yet available]

Add the values to enable multiple parameters. For example, enter 111 to enable all the following: URL entry, file access, file server entry, file server browsing, port forwarding, and Outlook/Exchange Proxy. (111 = 1 + 2 + 4 + 8 + 32 + 64)

cVPN3000-WebVPN-Exchange-Server-Address String Single An IP address or hostname

cVPN3000-WebVPN-Exchange-Server-NETBIOS-Name String Single An octet string

cVPN3000-Port-Forwarding-Name String Single An octet string

This text replaces the default string, “Application Access,” on the WebVPN home page.



Syntax/Type



78-15731-01


Cisco -AV-Pair Attribute Syntax

The syntax of each Cisco-AV-Pair rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]:

For example:

ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log

webvpn: inacl#1=permit url http://www.cnn.comwebvpn: inacl#2=deny smtp any host 10.1.3.5webvpn: inacl#3permit cifs://mar_server/peopleshare1

Field Description

Prefix An unique identifier for the AV pair. For example: ip:inacl#1= (used for standard ACLs) or webpn:inacl# (used for WebVPN ACLs). This field only appears when the filter has been sent as an AV pair.


Protocol Number or name of an IP protocol. Either an integer in the range 0-255 or one of the following keywords: icmp, igmp, ip, tcp, udp.

Source Network or host from which the packet is sent, specified as an IP address, a hostname, or the keyword “any”. If specified as an IP address, the source wildcard mask must follow.

Source Wildcard Mask The wildcard mask to be applied to the source address.

Destination Network or host to which the packet is sent, specified as an IP address, a hostname, or the keyword “any”. If specified as an IP address, the source wildcard mask must follow.

Destination Wildcard Mask

The wildcard mask to be applied to the destination address.

Log Generates a FILTER log message. You must use this keyword to generate events of severity level 9.

Operator Logic operators: greater than, less than, equal to, not equal to.

Port The number of a TCP or UDP port: in the range 0-65535.


78-15731-01


The following chart lists the tokens for the Cisco-AV-Pair attribute:

Table A-3 VPN Concentrator-Supported Tokens

Token Syntax Field Description

ip:inacl#Num= N/A (Identifier) (Where Num is a unique integer.) Starts all AV pair access control lists.

webvpn:inacl#Num= N/A (Identifier) (Where Num is a unique integer.) Starts all WebVPN AV pair access control lists.

deny Action Denies action. (Default.)

permit Action Allows action.

icmp Protocol Internet Control Message Protocol (ICMP)

1 Protocol Internet Control Message Protocol (ICMP)

IP Protocol Internet Protocol (IP)

0 Protocol Internet Protocol (IP)

TCP Protocol Transmission Control Protocol (TCP)

6 Protocol Transmission Control Protocol (TCP)

UDP Protocol User Datagram Protocol (UDP)

17 Protocol User Datagram Protocol (UDP)

any Hostname Rule applies to any host.

host Hostname Any alpha-numeric string that denotes a hostname.

log Log When the event is hit, a filter log message appears. (Same as permit and log or deny and log.)

lt Operator Less than value

gt Operator Greater than value

eq Operator Equal to value

neq Operator Not equal to value

range Operator Inclusive range. Should be followed by two values.


78-15731-01


Example VPN Concentrator Authorization Schema

This section provides a sample of an LDAP schema. This schema supports the VPN Concentrator class and attributes. It is specific to the Microsoft Active Directory LDAP server. Use it as a model, in conjunction with Table A-2, to define your own schema for your own LDAP server.

Note For more information on LDIF, refer to RFC-2849.

Schema 3k_schema.ldif

dn: CN=cVPN3000-Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com changetype: addadminDisplayName: cVPN3000-Access-HoursattributeID: 1.2.840.113556.1.8000.795.2.1attributeSyntax: 2.5.5.3cn: cVPN3000-Access-HoursinstanceType: 4isSingleValued: TRUElDAPDisplayName: cVPN3000-Access-HoursdistinguishedName: CN=cVPN3000-Access-Hours,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com objectClass: attributeSchemaoMSyntax: 27name: cVPN3000-Access-HoursshowInAdvancedViewOnly: TRUE

.....

.... (define subsequent VPN Concentrator authorization attributes here)

....

dn: CN=cVPN3000-Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com changetype: addadminDisplayName: cVPN3000-Primary-DNSattributeID: 1.2.840.113556.1.8000.795.2.3attributeSyntax: 2.5.5.3cn: cVPN3000-Primary-DNSinstanceType: 4isSingleValued: TRUElDAPDisplayName: cVPN3000-Primary-DNSdistinguishedName: CN=cVPN3000-Primary-DNS,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com objectClass: attributeSchemaoMSyntax: 27name: cVPN3000-Primary-DNSshowInAdvancedViewOnly: TRUE

.....

.... (define subsequent VPN Concentrator authorization attributes here)

....


78-15731-01


dn: CN=cVPN3000-Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com changetype: addadminDisplayName: cVPN3000-Confidence-IntervalattributeID: 1.2.840.113556.1.8000.795.2.52attributeSyntax: 2.5.5.9cn: cVPN3000-Confidence-IntervalinstanceType: 4isSingleValued: TRUElDAPDisplayName: cVPN3000-Confidence-IntervaldistinguishedName: CN=cVPN3000-Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com objectCategory:

DN:changetype: modifyadd: schemaUpdateNowschemaUpdateNow: 1-

dn: CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com changetype: addadminDisplayName: cVPN3000-User-AuthorizationadminDescription: Cisco Class Schemacn: cVPN3000-User-AuthorizationdefaultObjectCategory: CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) (A;;RPLCLORC;;;AU)governsID: 1.2.840.113556.1.8000.795.1.1instanceType: 4lDAPDisplayName: cVPN3000-User-Authorization

mustContain: cnmayContain: cVPN3000-Access-HoursmayContain: cVPN3000-Simultaneous-LoginsmayContain: cVPN3000-Primary-DNS...mayContain: cVPN3000-Confidence-IntervalmayContain: cVPN3000-Cisco-LEAP-Bypass

distinguishedName: CN=cVPN3000-User-Authorization,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=com objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,OU=People,DC=XYZCorporation,DC=comobjectClass: classSchemaobjectClassCategory: 1possSuperiors: organizationalUnitname: cVPN3000-User-AuthorizationrDNAttID: cnshowInAdvancedViewOnly: TRUEsubClassOf: topsystemOnly: FALSE


78-15731-01


DN:changetype: modifyadd: schemaUpdateNowschemaUpdateNow: 1-systemOnly: FALSE

DN:changetype: modifyadd: schemaUpdateNowschemaUpdateNow: 1-

Loading the Schema in the LDAP Server

Note The directions in this section are specific to the Microsoft Active Directory LDAP server. If you have a different type of server, refer to your server documentation for information on loading a schema.

To load the schema on the LDAP server, enter the following command from the directory where the schema file resides: ldifde -i -f Schema Name. For example: ldifde -i -f 3k_schema.ldif

Defining User Permissions

Note The directions in this section are specific to the Microsoft Active Directory LDAP server. If you have a different type of server, refer to your server documentation for information on defining and loading user attributes.

For each user authorizing to your LDAP server, define a user file. A user file defines all the VPN Concentrator attributes and values associated with a particular user. Each user is an object of the class cVPN3000-User-Authorization. To define the user file, use any text editor. The file must have the extension .ldif. (For an example user file, see “ann_smith.ldif.”)

To load the user file on the LDAP server, enter the following command on the directory where your version of the ldap_user.ldif file resides: ldifde -i -f ldap_user.ldif. For example: ldifde -i -f ann_smith.ldif

Once you have created and loaded both the schema and the user file, your LDAP server is ready to process VPN Concentrator authorization requests.


78-15731-01


Example User File

This section provides a sample of a user file for the user Ann Smith.

ann_smith.ldif

dn: cn=ann_smith,OU=People,DC=XYZCorporation,DC=comchangetype: addcn: ann_smithCVPN3000-Access-Hours: Corporate_timecVPN3000-Simultaneous-Logins: 2cVPN3000-IPSec-Over-UDP: TRUECVPN3000-IPSec-Over-UDP-Port: 12125cVPN3000-IPSec-Banner1: Welcome to the XYZ Corporation!!!cVPN3000-IPSec-Banner2: Unauthorized access is prohibited!!!!!cVPN3000-Primary-DNS: 10.10.4.5CVPN3000-Secondary-DNS: 10.11.12.7CVPN3000-Primary-WINS: 10.20.1.44CVPN3000-SEP-Card-Assignment: 1CVPN3000-IPSec-Tunnel-Type: 2CVPN3000-Tunneling-Protocols: 7cVPN3000-Confidence-Interval: 300cVPN3000-IPSec-Allow-Passwd-Store: TRUEobjectClass: cVPN3000-User-Authorization


78-15731-01

Appendix A Configuring an External Server for VPN Concentrator User AuthorizationConfiguring an External RADIUS Server

Configuring an External RADIUS ServerFollow the steps below to set up the RADIUS server to inter operate with the VPN Concentrator.

Step 1 Load the VPN Concentrator attributes into the RADIUS server. The method you use to load the attributes depends on which type of RADIUS server you are using:

• If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.

• For other vendors’ RADIUS servers (for example, Microsoft Internet Authentication Service): you must manually define each VPN Concentrator attribute. To define an attribute, use the attribute name or number, type, value, and vendor code (3076). For a list of VPN Concentrator RADIUS authorization attributes and values, see Table A-4.

Step 2 Set up the users or groups with the permissions and attributes to send during IPSec tunnel establishment. The permissions or attributes might include access hours, primary DNS, banner, and so on.

VPN Concentrator RADIUS Authorization Attributes

Table A-4 lists all the possible VPN Concentrator supported attributes that can be used for user authorization.

Table A-4 VPN Concentrator Supported RADIUS Attributes and Values

Attribute NameAttributeType

Attribute Number Attribute Values

cVPN3000-Access-Hours String 1 An octet string

cVPN3000-Simultaneous-Logins Integer 2 An integer

cVPN3000-Primary-DNS String 5 An IP address

cVPN3000-Secondary-DNS String 6 An IP address

cVPN3000-Primary-WINS String 7 An IP address

cVPN3000-Secondary-WINS String 8 An IP address

cVPN3000-SEP-Card-Assignment Integer 9 1 = SEP1

2 = SEP2

3 = SEP3

4 = SEP4

15 = Any SEP


78-15731-01


cVPN3000-Tunneling-Protocols Integer 11 1 = PPTP

2 = L2TP

3 = PPTP and L2TP

4 = IPSec

5 = PPTP and IPSec

6 = L2TP and IPSec

7 = PPTP-L2TP-IPSec

8 = L2TP/IPSec

9 = PPTP and L2TP/IPSec

10 = L2TP and L2TP/IPSec

11 = PPTP-L2TP-L2TP/IPSec

cVPN3000-IPSec-Sec-Association String 12 An octet string

cVPN3000-IPSec-Authentication Integer 13 0 = None

1 = RADIUS

3 = NT Domain

4 = SDI

5 = Internal

6 = RADIUS with Expiry

7 = Kerberos/Active Directory

cVPN3000-IPSec-Banner1 String 15 An octet string

cVPN3000-IPSec-Allow-Passwd-Store Boolean 16 TRUE = Allow

FALSE = Disallow

cVPN3000-Use-Client-Address Boolean 17 TRUE = Allow

FALSE = Disallow

Table A-4 VPN Concentrator Supported RADIUS Attributes and Values (continued)




78-15731-01


cVPN3000-PPTP-Encryption Integer 20 2 = 40 bits


4 = 128 bits


6 = 40 or 128

7 = 40 or 128 Encryption-Req


11 = Enc/Stateless-Req


13 = 128 Enc/Stateless-req


15 = 40/128-Enc/Stateless-Req

cVPN3000-L2TP-Encryption Integer 21 2 = 40 bit


4 = 128 bits

5 = 128-Encr-Req

6 = 40 or 128

7 = 40 or 128-Encr-Req


11 = Encr/Stateless-Req


13 = 128-EncrStateless-Req


15 = 40/128-Encr/Stateless-Req

cVPN3000-IPSec-Split-Tunnel-List String 27 An octet string

cVPN3000-IPSec-Default-Domain String 28 An octet string

cVPN3000-IPSec-Split-DNS-Names String 29 An octet string

cVPN3000-IPSec-Tunnel-Type Integer 30 1 = LAN-to-LAN

2 = Remote access

cVPN3000-IPSec-Mode-Config Boolean 31 TRUE = On

FALSE = Off

cVPN3000-IPSec-User-Group-Lock Boolean 33 TRUE = On

FALSE = Off

cVPN3000-IPSec-Over-UDP Boolean 34 TRUE = On

FALSE = Off





78-15731-01


cVPN3000-IPSec-Over-UDP-Port Integer 35 An integer

cVPN3000-IPSec-Banner2 String 36 An octet string

cVPN3000-PPTP-MPPC-Compression Integer 37 1 = ON

2 = OFF

cVPN3000-L2TP-MPPC-Compression Integer 38 0 = ON

1 = OFF

cVPN3000-IPSec-IP-Compression Integer 39 0 = None

1 = LZS

cVPN3000-IPSec-IKE-Peer-ID-Check Integer 40 1 = Required

2 = If supported by certificate

3 = Do not check

cVPN3000-IKE-Keep-Alives Boolean 41 TRUE = On

FALSE = Off

cVPN3000-IPSec-Auth-On-Rekey Boolean 42 TRUE = On

FALSE = Off

cVPN3000-Required-Client- Firewall-Vendor-Code Integer 45 1 = Cisco Systems (with Cisco Integrated Client)

2 = Zone Labs

3 = NetworkICE

4 = Sygate

5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

cVPN3000-Required-Client-Firewall-Product-Code Integer 46 Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:

1 = Zone Alarm

2 = Zone AlarmPro

3 = Zone Labs Integrity

NetworkICE Product:

1 = BlackIce Defender/Agent

Sygate Products:

1 = Personal Firewall

2 = Personal Firewall Pro

3 = Security Agent

cVPN3000-Required-Client-Firewall-Description String 47 An octet string





78-15731-01


cVPN3000-Require-HW-Client-Auth Boolean 48 TRUE = On

FALSE = Off

cVPN3000-Required-Individual-User-Auth Integer 49 An integer

cVPN3000-Authenticated-User-Idle-Timeout Integer 50 An integer

cVPN3000-Cisco-IP-Phone-Bypass Integer 51 2 = Enabled

3 = Disabled

cVPN3000-IPSec-Split-Tunneling-Policy Integer 55 0 = Tunnel everything

1 = Only tunnel networks in list

2 = Policy Pushed CPP


cVPN3000-IPSec-Required-Client-Firewall-Capability Integer 56 0 = None

1 = Policy defined by remote FW AYT

2 = Policy pushed CPP


cVPN3000-IPSec-Client-Firewall-Filter-Name String 57 An octet

cVPN3000-IPSec-Client-Firewall-Filter-Optional Integer 58 0 = Required

1 = Optional

cVPN3000-IPSec-Backup-Servers String 59 1 = Use Client-Configured list

2 = Disabled and clear client list

3 = Use Backup Server list

cVPN3000-IPSec-Backup-Server-List String 60 An octet string

cVPN3000-Intercept-DHCP-Configure-Msg Boolean 62 TRUE = Yes

FALSE = No

cVPN3000-MS-Client-Subnet-Mask Boolean 63 An IP address

cVPN3000-Allow-Network-Extension-Mode Boolean 64 TRUE = Yes

FALSE = No

cVPN3000-Strip-Realm Boolean 135 TRUE = On

FALSE = Off

cVPN3000-Confidence-Interval Integer 68 An integer

cVPN3000-Cisco-LEAP-Bypass Integer 75 An integer

cVPN3000-Client-Type-Version-Limiting String 77 An octet string





78-15731-01


cVPN3000-WebVPN-Content-Filter-Parameters Integer 69 1 = Java & ActiveX

2 = Java scripts

4 = Images

8 = Cookies

Add the values to filter multiple parameters. For example: enter 10 to filter both Java scripts and cookies. (10 = 2 + 8)

cVPN3000-WebVPN-Enable-functions Integer 70 1 = URL entry

2 = File access

4 = File server entry

8 = File server browsing

16 = Web mail

32 = Port forwarding

64 = Outlook/Exchange Proxy

128 = ACL Apply

256 = Citrix support [Not yet available]

Add the values to enable multiple parameters. For example, enter 111 to enable all the following: URL entry, file access, file server entry, file server browsing, port forwarding, and Outlook/Exchange Proxy. (111 = 1 + 2 + 4 + 8 + 32 + 64)

cVPN3000-WebVPN-Exchange-Server-Address String 74 An IP address or hostname

cVPN3000-WebVPN-ExchangeServer-NETBIOS-Name String 78 An octet string

cVPN3000-Port-Forwarding-Name String 79 An octet string.

This text replaces the default string, “Application Access,” on the WebVPN home page.





78-15731-01


A P P E N D I X B
Configuring the VPN Concentrator for WebVPN
WebVPN lets users establish a secure, remote-access VPN tunnel to a VPN 3000 Concentrator using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The VPN Concentrator recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.

The network administrator provides access to WebVPN resources to users on a group basis. Users have no direct access to resources on the internal network.

This appendix includes the following sections:

• WebVPN Security Precautions

• Using SSL to Access the VPN Concentrator

• Configuring Certificates for WebVPN

• Enabling Cookies on Browsers for WebVPN

• Understanding WebVPN Global and Group Settings

• Using the VPN Concentrator Manager to Configure WebVPN

• Configuring E-mail

WebVPN Security PrecautionsWebVPN connections on the Cisco VPN 3000 Concentrator are very different from remote access IPSec connections, particularly with respect to how they interact with SSL-enabled servers, and precautions to reduce security risks.


The current implementation of WebVPN on the VPN Concentrator does not permit communication with sites that present expired certificates. Nor does the VPN Concentrator perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

To minimize the risks involved with SSL certificates:

B-23rator Reference Volume I: Configuration

Appendix B Configuring the VPN Concentrator for WebVPNUsing SSL to Access the VPN Concentrator

1 Configure a group that consists of all users who need WebVPN access and enable the WebVPN feature only for that group.

2 Limit Internet access for WebVPN users. One way to do this is to uncheck the Enable URL Entry field on the Configuration | User Management | Base Group/Groups WebVPN tab. Then configure links to specific targets within the private network (Configuration | Tunneling and Security | WebVPN | Servers and URLs | Add/Modify or Configuration | Groups | WebVPN Servers and URLs | Add/Modify).

3 Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a WebVPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.

Using SSL to Access the VPN ConcentratorWebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources a central site.

Using HTTPS for Management SessionsRelease 4.1 requires HTTPS (HTTP over SSL) for WebVPN management sessions.

By default, HTTPS management is enabled on the private interface. To manage the VPN Concentrator through the public or external interfaces after upgrading to Release 4.1, you must explicitly enable HTTPS management.

Enabling HTTPS Management Sessions

To enable HTTPS Management for an interface in addition to the Private interface. go to Configuration | Interfaces | Ethernet # screen | WebVPN tab and enable the parameter “Allow Management HTTPS sessions."

Before you enable HTTPS on the public or external interface, you can access the VPN Concentrator Manager in one of these ways:

• Use SSH or HTTPS via the private interface.

• Use the console CLI.

Note Release 4.1 removes the functionality that allowed a Telnet over SSL connection to a VPN Concentrator.

Using HTTPS for WebVPN SessionsEstablishing WebVPN sessions requires:

• Using HTTPS to access the VPN Concentrator or load balancing cluster. In a web browser, enter the IP address in the format https://<IP address> instead of http://<IP address>.

B-24VPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNUsing SSL to Access the VPN Concentrator

• Enabling WebVPN sessions on the VPN Concentrator interface that users connect to.

To permit WebVPN sessions on an interface, enable the parameter, “Allow WebVPN HTTPS sessions." Go to Configuration | Interfaces | Ethernet # screen, WebVPN tab.

Users enter the IP address or DNS hostname of the interface in a supported browser. The format is https://address, where address is the IP address or DNS hostname of the VPN Concentrator interface. If you enable the Redirect HTTP to HTTPS parameter for that interface, which improves security, users need enter only the IP address or hostname.

Previous HTTP/HTTPS Filters No Longer Apply

After you enable HTTPS on the public interface, any rules created previously to allow HTTP and HTTPS traffic no longer apply, regardless of the actual filters you have configured in on the Configuration | Policy Management | Traffic management | Filters screen.














Configuring SSL/TLS Encryption ProtocolsMake sure that the VPN Concentrator and the browser you use allow the same SSL/TLS encryption protocols. On the VPN Concentrator, configure encryption versions in the Configuration | Tunneling and Security | SSL | Protocols screen.


78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNConfiguring Certificates for WebVPN

Configuring Certificates for WebVPNSSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been issued in a PKI context. For HTTPS, this certificate must then be installed in the client. You need to install the certificate from a given VPN Concentrator only once.


• For information on installing the SSL digital certificate in your browser and connecting via HTTPS, see in the VPN 3000 Series Concentrator Volume I: Configuration guide, see Chapter 1, “Using the VPN Concentrator Manager.”

• To manage digital certificates, in the VPN 3000 Series Concentrator Volume II: Administration and Monitoring guide, see Chapter 11, “Certificate Management.”

Using Certificates to Authenticate E-Mail Proxy UsersFor information about using digital certificates for e-mail proxy, see the section,“Certificate” in Chapter 15, “Tunneling and Security.”

Using Certificates to Authenticate ClientsUsing digital certificates to authenticate clients requires several steps. For detailed instructions, see the section, “Client Authentication” in Chapter 15, “Tunneling and Security.”

Checking the VPN Concentrator SSL CertificateMake sure that the VPN Concentrator’s SSL certificate is current. Chapter 1 of this guide provides detailed information about installing and viewing SSL certificates on Internet Explorer and Netscape.

Setting WebVPN HTTP/HTTPS ProxyThe VPN Concentrator can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. These servers act as an intermediary between users and the Internet. Requiring all Internet access via a server the organization controls provides another opportunity for filtering to assure secure Internet access and administrative control.

Set values for HTTP and HTTPS Proxy for WebVPN in the Configuration | Tunneling and Security | WebVPN | HTTP/HTTPS Proxy screen.

Enabling Cookies on Browsers for WebVPNBrowser cookies are required for the proper operation of WebVPN. When cookies are disabled on the eb browser, the links from the web portal home page open a new window prompting the user to login once more.


78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNUnderstanding WebVPN Global and Group Settings

Understanding WebVPN Global and Group SettingsIn general, the group-based parameters for IPSec, PPTP and L2TP/IPSec sessions do not apply for WebVPN. The exceptions to this are:

• WebVPN parameters from the group's WebVPN tab apply.

• The banner from the Client Configuration tab (User Management | Base Group/Groups) applies to WebVPN sessions.

Table B-1 summarizes the group and global settings that WebVPN supports:

Table B-1 WebVPN Group and Global Settings

Configuring Authentication and Authorization GloballyWeb VPN uses global authentication and authorization settings, not the settings configured for the group. The first active server, independent of type, is used for authentication and authorization of WebVPN sessions.

Authenticating with Digital Certificates

WebVPN users that authenticate using digital certificates do not use global authentication and authorization setting. Instead, they use an authorization server to authenticate according to values set in the Configuration | User Management | Base Group/Groups IPSec tab for the following fields:

• Authentication

• Authorization Type

• Authorization Required

• DN Field parameters

The VPN Concentrator does not support multiple authentication types for groups of WebVPN users.

Parameter Group Global/system-wide

Authentication No Yes 1

1. In this release WebVPN does not support RADIUS with Expiry authentication.

Authorization No Yes

Accounting Yes Yes2

2. If no accounting servers are defined in the group, the system servers apply.

DNS No Yes

Servers/URLs Yes Yes

Port Forwarding Yes Yes

Enable URL entry Yes Yes


78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNUsing the VPN Concentrator Manager to Configure WebVPN

Configuring DNS GloballyWebVPN does not use the DNS settings of the group with which it has connected. WebVPN follows the VPN Concentrator global DNS settings. This can be confusing to administrators who have users assigned to the same group and who get different DNS results. Ensure that the global DNS settings of the VPN Concentrator have been configured properly.

Assigning WebVPN Users to GroupsUsing a RADIUS server to authenticate users, assign users to groups by following these steps:

Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group.

Step 2 Set the class attribute to the group name in the format OU=group_name

For example, to set a WebVPN user to the SSL_VPN group, set the Radius Class Attribute to a value of OU=SSL_VPN; (Don’t omit the semicolon.)

You can also configure users to authenticate to the VPN Concentrator internal authentication server, using the VPN Concentrator to Manager to assign users to groups. For more information about configuring groups, see Chapter 13, “User Management,” especially Table 13-1, which provides information about the maximum number of users/ VPN Concentrator platform that you can configure for internal authentication.

Using the VPN Concentrator Manager to Configure WebVPNYou set some values for WebVPN users on a global basis, and others on either a global or a group basis. Table B-2 provides more information about configuring WebVPN features globally or on a group basis.

.

Table B-2 WebVPN Feature Configuration Options

Features Set Globally Features Set Globally or by Group VPN Concentrator Manager Screen(s)

HTTP/HTTPS Proxy Configuration | Tunneling and Security | WebVPN | HTTP/HTTPS Proxy screen

WebVPN Access Control Lists (ACLs)

You can use ACLs to deny and permit access to web, file, and e-mail servers on a group basis.


Configuration | User Management | Base Group/Groups | WebVPN tab


78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNUsing the VPN Concentrator Manager to Configure WebVPN

WebVPN appearance, including

• Page title

• Login message

• Page colors

• Page logo

Configuration | Tunneling and Security | WebVPN | Home Page and Logo screens

E-Mail Proxy

• POP3S

• IMAP4S

• SMTPS

Configuration | Tunneling and Security | WebVPN | E-mail Proxy screen

Web E-Mail via Outlook Web Access for Exchange 2000 - no configuration required

Client/server application access (port forwarding). Supported applications include:


• Telnet

• SSH


• Perforce

• Outlook/Outlook Express

• Lotus Notes

• XDDTS

• SameTime Instant Messaging


Globally: Configuration | User Management | Base Group | WebVPN tab and Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add/Modify screens

By Group: Configuration | User Management | Groups | Add/Modify | WebVPN tab and Configuration | User Management | Groups | WebVPN | Port Forwarding screen




78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNConfiguring E-mail

Note To configure access to client/server applications, web resources, and files and servers:- Enable access in the Configuration | User Management | Base Group/Groups | WebVPN tab. - Identify specific file servers and urls in the WebVPN Servers and URLS and Port Forwarding screens.

Configuring E-mailWebVPN supports several ways to access e-mail:

• E-mail Proxies: Enable e-mail via Post Office Protocol, Revision 3 (POP3S), Internet Messages Access Protocol, Revision 4 (IMAP4S), and Simple Mail Transfer Protocol (SMTPS) proxies.

• Web E-mail: A remote user can acccess Outlook Exchange e-mail without having an Outlook client on the computer they are using.

E-mail ProxiesConfigure e-mail proxies in the Configuration | Tunneling and Security | WebVPN | E-mail Proxy screen. Note the details of configuring delimiters.

Web E-Mail: Outlook Web Access for Exchange 2000Web E-Mail is Outlook Web Access for Exchange 2000 requires an Outlook Exchange Server 2000 at the central site. It also requires that users:

• Enter the url of the mail server in a browser.

•When prompted, enter the e-mail server username in the format domain\username.

• Enter the e-mail password.

Web access, including:

• Organization websites

• External websites

• Web browsing

• Webmail

Globally: Configuration | User Management | Base Group | WebVPN tab and Configuration | Tunneling and Security | WebVPN | Servers and URLs screen

By Group: Configuration | User Management | Base Group/Groups | Add/Modify | WebVPN tab and Configuration | User Management | Groups | WebVPN | Servers and URLs screen

File and file server access, including:

• Specific files

• File servers

• File browsing

Globally: Configuration | User Management | Base Group | WebVPN tab and Configuration | Tunneling and Security | WebVPN | Servers and URLs screen

By Group: Configuration | User Management | Groups | Add/Modify | WebVPN tab and Configuration | User Management | Groups | WebVPN | Servers and URLs screen




78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNConfiguring File Access

Configuring File AccessConfigure access to files and servers in the Configuration | Tunneling and Security | WebVPN | Servers and URLs screen. Remember to select CIFS as Server Type.

Configuring Access to ApplicationsConfigure access to TCP/IP applications in the Configuration | Tunneling and Security | WebVPN | Port Forwarding screen.

Configuring Web AccessConfigure access to URLs in the Configuration | Tunneling and Security | WebVPN | Servers and URLs screen. Remember to select CIFS as Server Type.

Using the WebVPN Capture ToolThe WebVPN CLI includes a capture tool that lets you log information about websites that do not display properly over a WebVPN connection. The data this tool records can help your Cisco customer support representative troubleshoot problems.

WebVPN Capture Tool OutputThe output of the WebVPN capture tool consists of two files:

• mangled.1, 2,3, 4... and so on, depending on the web page activity. The mangle files record the html actions of the VPN Concentrator transferring these pages on a WebVPN connection.

• original.1,2,3,4... and so on, depending on the web page activity. The original files are the files the URL sent to the VPN Concentrator.

Viewing and Using WebVPN Capture Tool OutputTo open and view these files, go to Administration | File Management. Zip the output files and send them to your Cisco support representative.

Note Using the WebVPN capture tool does impact VPN Concentrator performance. Be sure to disable the capture tool after you have generated the output files. See Step 5 in the next section for the location of the Enable/Disable parameter.


78-15731-01

Appendix B Configuring the VPN Concentrator for WebVPNUsing the WebVPN Capture Tool

Using the WebVPN Capture ToolTo use the WebVPN capture tool:

Step 1 Establish a CLI connection to the VPN Concentrator via Telnet or the console port.

Step 2 At the prompts, enter the administrator login name and password. Entries are case-sensitive. (The CLI does not show your password entry.)

Login: adminPassword: admin

The CLI displays the opening welcome message, the main menu, and the Main -> prompt:

Welcome toCisco Systems

VPN 3000 Concentrator SeriesCommand Line Interface

Copyright (C) 1998-2004 Cisco Systems, Inc.

1) Configuration2) Administration3) Monitoring4) Save changes to Config file5) Help Information6) Exit

Main -> _

Step 3 Enter 3 to select Monitoring. The system prompts you with the following menu:

1) Routing Table2) Event Log3) System Status4) Sessions5) General Statistics6) Dynamic Filters7) Back

Monitor ->

Step 4 Enter 2 to select Event Log. The system prompts you with the following menu:

1) Configure Log viewing parameters2) View Event Log3) Save Log4) Clear Log5) Configure WebVPN Logging6) Back

Log ->


78-15731-01


Step 5 Enter 5 to select Configure WebVPN Logging. The system prompts you with the following menu:

WebVPN Logging: OFFUser: "NULL"Path: "NULL"

1) Set Username2) Set Path3) Enable/Disable WebVPN Logging4) Back

WebVPN Logging -> 1

Step 6 Enter 1 to set the Username. The system prompts you with the following menu:

Enter the name of the user to capture.> Username to Log

WebVPN Logging ->

Step 7 Enter the Username, in this example, janedoe. The system prompts you with the following menu:

WebVPN Logging: OFFUser: "janedoe"


WebVPN Logging -> 2

Step 8 Enter 2 to set the Path. This is the path to the URL that does not display properly. The system prompts you with the following menu, which includes instruction for configuring the path:

Enter the path to capture.Format:/http[s]//<port or 0 for default>/<server/<server path>

Use "/http" to capture everything.Use "/http/0/<server>" to capture HTTP traffic to <server>.Use "/https/0/<server>" to capture HTTPS traffic to <server>.

> Path Prefix to Log

WebVPN Logging -> http

Step 9 Enter the path, in this example /http/0/www.yahoo.com.The system prompts you with the following menu:

WebVPN Logging: OFFUser: "janedoe"Path: "/http/0/www.yahoo.com"


WebVPN Logging -> 3


78-15731-01


Step 10 Enter 3 to enable WebVPN Logging. The system prompts you with the following menu:

WARNING:-- Enabling this feature will impact performance.

1) Enable WebVPN Logging2) Disable WebVPN Logging

WebVPN Logging -> [ 2 ]

Step 11 Enter 1 to enable WebVPN Logging. The system prompts you with the following menu:

WebVPN Logging: ONUser: "janedoe"Path: "/http/0/www.yahoo.com"


WebVPN Logging -> 4

Step 12 At this point you can exit the CLI. Enter 4 for Back until a menu displays that includes the option to Exit.

1) Configure Log viewing parameters2) View Event Log3) Save Log4) Clear Log5) Configure WebVPN Logging6) Back

Log ->


78-15731-01


A P P E N D I X C
WebVPN End User Set-up
This appendix is for the system administrator who sets up WebVPN for end users. It summarizes configuration requirements and tasks for the user’s remote system. It also specifies information to communicate to users to get them started using WebVPN.

Note We assume you have already configured the VPN Concentrator for WebVPN.

Usernames and PasswordsDepending on your organization’s network, during a remote session users might have to log in to any or all of the following: the computer itself, an Internet provider, WebVPN, mail or file servers, or corporate applications. Users might have to authenticate in many different contexts, requiring different information, such as a unique username, password, or pincode.

Table C-1 lists the type of usernames and passwords that WebVPN users might need to know.

Table C-1 Usernames and Passwords to Tell WebVPN Users

Login Username/Password Type Purpose Entered When

Computer Access the computer Starting the computer

Internet Provider Access the Internet Connecting to an Internet provider

WebVPN Access remote network Starting WebVPN

File Server Access remote file server Using the WebVPN file browsing feature to access a remote file server

Corporate Application Login

Access firewall-protected internal server

Using the WebVPN web browsing feature to access an internal protected website

Mail Server Access remote mail server via WebVPN

Sending or receiving e-mail messages

C-1rator Reference Volume I: Configuration

Appendix C WebVPN End User Set-upSecurity Tips

Security TipsAdvise users always to log out from the WebVPN session. (To log out of WebVPN, click on the logout icon on the WebVPN toolbar or quit the browser.)

Advise users that using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user’s PC or workstation and the VPN Concentrator on the corporate network. If the user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate VPN Concentrator to the destination web server is not secured.

Configuring Remote Systems to Use WebVPN FeaturesThis section summarizes:

• WebVPN requirements, by feature

• WebVPN supported applications

• Client application installation and configuration requirements

• Information you might need to provide end users

• Tips and use suggestions for end users

It is possible you have configured users accounts differently and that different WebVPN features are available to each user. We have organized the information in Table C-2 by feature, so you can skip over the information for unavailable features.

C-2VPN 3000 Series Concentrator Reference Volume I: Configuration

78-15731-01

Appendix C WebVPN End User Set-upConfiguring Remote Systems to Use WebVPN Features

Table C-2 WebVPN Remote System Configuration and End User Requirements

Task Remote System or End User Requirements Specifications or Use Suggestions

Starting WebVPN A connection to the Internet Any Internet connection is supported, including:

• Home DSL, cable, or dial-ups

• Public kiosks

• Hotel hook-ups

• Airport wireless nodes

• Internet cafes

A WebVPN-supported browser The following browsers have been verified for WebVPN. Other browsers might not fully support 4.1 WebVPN features.

On Microsoft Windows:

• Internet Explorer version 6.0

• Netscape version 7.1

• Mozilla version 1.4

On Linux:

• Mozilla version 1.4


On Solaris:


On Macintosh OS X:

• Safari version 1.0

Cookies enabled on browser Cookies must be enabled on the browser in order to access applications via port forwarding..

The URL for WebVPN An https address in the following form:

https://address

where address is the IP address or DNS hostname of an interface of the VPN Concentrator (or load balancing cluster) on which Allow WebVPN HTTPS Sessions has been enabled. For example: https://10.89.192.163 or https://vpn.company.com.

A WebVPN username and password

[Optional] A local printer WebVPN does not support printing from a web browser to a network printer. Printing to a local printer is supported.


78-15731-01


Web Browsing Usernames and passwords for protected websites

Using WebVPN does not ensure that communication with every site is secure. See the Security Tips section.

The look and feel of web browsing with WebVPN might be different from what users are accustomed to. For example, when using WebVPN:

• The WebVPN title bar appears above each web page

• You access websites by:

– Entering the URL in the Enter Web Address field on the WebVPN home page

– Clicking on a pre-configured website link on the WebVPN home page

– Clicking a link on a webpage accessed via one of the previous two methods

Also, depending on how you configured a particular account, it might be that:

• Some websites are blocked

• Only the websites that appear as links on the WebVPN home page are available

Network Browsing and File Management

File permissions configured for shared remote access

Only shared folders and files are accessible via WebVPN.

Server name and passwords for protected file servers

Domain, workgroup, and server names where folders and files reside

Users might not be familiar with how to locate their files through your organization’s network.

Patience Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress. Interrupting the operation can cause an incomplete file to be saved on the server.




78-15731-01


Using Applications

(Port Forwarding)

Note On Macintosh OS X, only the Safari browser supports this feature.

Note Because this feature requires installing Sun Microsystems Java™ Runtime Environment and configuring the local clients, and because doing so requires administrator permissions on the local system, it is unlikely that users will be able to use applications when they connect from public remote systems.

Caution Users should always close the Application Access window when they finish using applications by clicking the close icon. Failure to quit the window properly can cause Application Access or the applications themselves to be disabled. See Application Access: Recovering from hosts File Errors for details.

Client applications installed

Cookies enabled on browser

Administrator privileges User must be local administrator on his or her PC.

Sun Microsystems Java Runtime Environment (JRE) version 1.4 or later installed

WebVPN automatically checks for JRE whenever the user starts Application Access. If it is necessary to install JRE, a pop-up window displays, directing users to a site where it is available.

Client applications configured, if necessary.

Note The Microsoft Outlook client does not require this configuration step.

All non-Windows client applications require configuration.

To see if configuration is necessary for a Windows application, check the value of the Remote Server field on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | Servers and URLs | Add/Modify screen.

• If the Remote Server field contains the server’s hostname, you do not need to configure the client application.

• If the Remote Server field contains an IP address, you must configure the client application.

To configure the client application, use the server’s locally mapped IP address and port number. To find this information:

1. Start WebVPN on the remote system and click the Application Access link on the WebVPN home page. The Application Access window displays.

2. In the Name column, find the name of the server you want to use, then identify its corresponding client IP address and port number (in the Local column).

3. Use this IP address and port number to configure the client application. Configuration steps vary for each client application.




78-15731-01


Using E-mail:

Via Application Access

Fulfill requirements for Application Access (See Using Applicatoins)

To use mail, start Application Access from the WebVPN home page. The mail client is then available for use.

Note If you are using an IMAP client and you lose your mail server connection or are unable to make a new connection, close the IMAP application and restart WebVPN.

Other Mail Clients Cisco has tested Microsoft Outlook Express versions 5.5 and 6.0.

WebVPN should support other SMTPS, POP3S, or IMAP4S e-mail programs, such as Netscape Mail, Lotus Notes, and Eudora, but Cisco has not verified them.

Using E-mail:Web Access

Web-based email product installed Supported:

• Outlook Web Access (OWA)

For best results, use OWA on Internet Explorer 5.x or higher.

Other web-based e-mail products should also work, but Cisco has not verified them.

Using E-mail:E-mail Proxy

SSL-enabled mail application installed Supported mail applications:

• Microsoft Outlook

• Microsoft Outlook Express versions 5.5 and 6.0

• Netscape Mail version 7

• Eudora 4.2 for Windows 2000

Other SSL-enabled mail clients should also work, but Cisco has not verified them.

Mail application configured See instructions and examples for your mail application in the “E-mail Proxy” section.




78-15731-01

Appendix C WebVPN End User Set-upApplication Access: Recovering from hosts File Errors

Application Access: Recovering from hosts File ErrorsIt is very important to close the Application Access window properly. When you finish using Application Access, click the close icon. If you do not close the window properly:

• The next time you try to start Application Access, it might be disabled; you receive a Backup HOSTS File Found error message

• The applications themselves might be disabled or might malfunction, even when you are running them locally

These errors can result from terminating the Application Access window in any improper way. For example:

• Your browser crashes while you are using Application Access

• A power outage or system shutdown occurs while you are using Application Access

• You minimize the Application Access window while you are working, then shut down your computer with the window active (but minimized)

How WebVPN Uses the hosts FileThe hosts file on your local system maps IP addresses to host names. When you start Application Access, WebVPN modifies the hosts file, adding WebVPN-specific entries. Stopping Application Access by properly closing the Application Access window returns the file to its original state.

What Happens When You Stop Application Access ImproperlyOnce Application Access terminates abnormally, the hosts file is left in a WebVPN-customized state. WebVPN checks for this possibility the next time you start Application Access by searching for a hosts.webvpn file. If it finds one, you receive a Backup HOSTS File Found error message (see Figure C-1), and Application Access is temporarily disabled.

Once you shut down Application Access improperly, you leave your remote access client/server applications in limbo. If you try to start these applications without using WebVPN, they might malfunction. You might find that hosts that you normally connect to are unavailable. This situation could commonly occur if you run applications remotely from home, fail to quit the Application Access window before shutting down the computer, then try to run the applications later from the office.

Before invoking Application Access... hosts file is in original state.

When Application Access starts.... • WebVPN copies the hosts file to hosts.webvpn, thus creating a backup.

• WebVPN then edits the hosts file, inserting WebVPN-specific information.

When Application Access stops... • WebVPN copies the backup file to the hosts file, thus restoring the hosts file to its original state.

• WebVPN deletes hosts.webvpn.

After finishing Application Access... hosts file is in original state.


78-15731-01


What to DoTo re-enable Application Access or malfunctioning applications:

• If you are able to connect to your remote access server, follow the steps in the section “Reconfigure hosts File Automatically Using WebVPN.”

• If you are unable to connect to your remote access server from your current location or if you have made custom edits to the hosts file, follow the steps in the section “Reconfigure hosts File Manually.”

Reconfigure hosts File Automatically Using WebVPN

If you are able to connect to your remote access server, follow these steps to reconfigure the hosts file and re-enable both Application Access and the applications.

Step 1 Start WebVPN and log in. Your home page opens.

Step 2 Click the Applications Access link. A Backup HOSTS File Found message displays. (See Figure C-1.)

Figure C-1 Backup HOSTS File Found Message

Step 3 Choose one of the following options:

• Restore from backup = WebVPN forces a proper shutdown. WebVPN copies the hosts.webvpn backup file to the hosts file, restoring it to its original state, then deletes hosts.webvpn. You then have to restart Application Access.

• Do nothing = Application Access does not start. You return to your remote access home page.

• Delete backup = WebVPN deletes the hosts.webvpn file, leaving the hosts file in its WebVPN-customized state. The original hosts file settings are lost. Then Application Access starts, using the WebVPN-customized hosts file as the new original. Choose this option only if you are unconcerned about losing hosts file settings. If you or a program you use might have edited the hosts file after Application Access has shut down improperly, choose one of the other options, or edit the hosts file manually. (See the “Reconfigure hosts File Manually” section.)


78-15731-01


Reconfigure hosts File Manually

If you are not able to connect to your remote access server from your current location, or if you have customized the hosts file and do not want to loose your edits, follow these steps to reconfigure the hosts file and re-enable both Application Access and the applications.

Step 1 Locate and edit your hosts file.

Step 2 Check if any lines contain the string: # added by WebVpnPortForward If any lines contain this string, your hosts file is WebVPN-customized. If your hosts file is WebVPN-customized, it looks similar to the following example:

123.0.0.3 server1 # added by WebVpnPortForward123.0.0.3 server1.example.com vpn3000.com # added by WebVpnPortForward123.0.0.4 server2 # added by WebVpnPortForward123.0.0.4 server2.example.com.vpn3000.com # added by WebVpnPortForward123.0.0.5 server3 # added by WebVpnPortForward123.0.0.5 server3.example.com vpn3000.com # added by WebVpnPortForward

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host

123.0.0.1 localhost

Step 3 Delete the lines that contain the string: # added by WebVpnPortForward

Step 4 Save and close the file.

Step 5 Start WebVPN and log in. Your home page appears.

Step 6 Click the Application Access link. The Application Access window appears. Application Access in now enabled.


78-15731-01

Appendix C WebVPN End User Set-upE-mail Proxy

E-mail ProxyWebVPN lets you set up native mail applications on remote systems for automatic access to office e-mail. This feature, called E-mail Proxy, uses the VPN Concentrator as a proxy to the mail server. You need to configure E-mail Proxy on both the VPN Concentrator and the user’s mail application. For more information on configuring E-mail Proxy on the VPN Concentrator, see the Configuration | Tunneling and Security | WebVPN | E-mail Proxy section.

The following instructions explain how to configure the most commonly used e-mail applications: Outlook Express, Netscape, and Eudora.

Example ConfigurationFigure C-2 shows the network environment used in the example.

Figure C-2 A Typical E-Mail Proxy Network Scenario

To configure the mail application on the remote system to participate in e-mail proxy, you need to know certain information about the user, the VPN Concentrator, and the e-mail server. Table C-3 shows the information needed, as well as sample values used in the example configurations.

E-mailRequests

SSLTunnel

E-mailRequests

CorporateNetwork

PublicNetwork

E-mail Client

E-mail ServerName: madhatter

9762

5

VPN ConcentratorPublic IP Address:

90.160.80.15

Table C-3 Sample Values Used in the Example E-mail Proxy Configuration

User VPN Concentrator E-mail Server

Name: Alice Smith

E-mail address: [email protected]

Outgoing Mail Port (SMTPS): 988

Incoming Mail Port (POP3S): 995

Username: AliceSmith

Password: 12345

Public IP Address: 90.160.80.15

Outgoing Mail Port (SMTPS): 988

Incoming Mail Port (POP3S): 995

Incoming Mail Port (IMAP4S): 993

Username: alice

Password: abcde

Server Name: madhatter


78-15731-01


Figure C-3 shows the VPN Concentrator E-mail Proxy configuration used in the examples that follow.

Figure C-3 Example VPN Concentrator E-mail Proxy Configuration

Note You can use any VPN Concentrator interface for WebVPN. This example uses the Public interface.


78-15731-01


Outlook Express on Windows 2000These instructions explain how to configure an Outlook Express client running on Windows 2000 to participate in E-mail Proxy.

Configuring Outlook Express

Step 1 Click Start-->Programs-->Outlook Express on the Windows 2000 desktop toolbar. The Outlook Express main window appears. (See Figure C-4.)

Figure C-4 Outlook Express Main Window


78-15731-01


Step 2 Select Accounts... from the Tools drop down menu. The Internet Accounts window displays.

Figure C-5 Internet Accounts Window

Step 3 Click the Add button and choose Mail from the menu. The Internet Connection Wizard Your Name window displays. (See Figure C-6.)

Figure C-6 Internet Connection Wizard: Your Name Window


78-15731-01


Step 4 Enter a Display Name for the user. This name will appear in the From header of e-mails the user sends. Click Next. The Internet E-mail Address window appears. (See Figure C-7.)

Figure C-7 Internet E-mail Address Window

Step 5 Choose the option: I already have an e-mail address that I’d like to use. Enter the user’s e-mail address at the prompt. Click Next. The E-mail Server Names window appears (See Figure C-8.)

Figure C-8 E-mail Server Names Window


78-15731-01


Step 6 Choose the e-mail protocol you configured for E-mail Proxy on the VPN Concentrator.

Step 7 Enter in both the Incoming and the Outgoing Mail fields the IP address of the interface of the VPN Concentrator on which you enabled E-mail Proxy protocols. (Our example uses the Public interface.)

Step 8 Click Next. The Internet Mail Logon window appears. (See Figure C-9.)

Figure C-9 Internet Mail Logon Window


78-15731-01


Step 9 If the user’s VPN Concentrator username and mail server username are the same, enter this name at the prompt, in the form:

(E-Mail Username)[E-mail Server Delimiter][E-mail Server Name]

Where:

• E-mail Username = The user’s e-mail login name.

• E-mail Server Delimiter = The server delimiter you set on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen to separate the mail username from the server name. (The default e-mail server delimiter is the @ sign.) The delimiter is necessary only if a server name is present.

• E-mail Server Name = The name of the user’s e-mail server. You can omit this field if using the default mail server.

For example: [email protected]

If the user’s VPN Concentrator username and mail server username are different, enter both usernames in the following form:

(VPN Concentrator Username)(VPN Name Delimiter) (E-mail Username) [E-mail Server Delimiter][E-mail Server Name]

Where:

• VPN Concentrator Username = The user’s VPN Concentrator login name.

• VPN Name Delimiter = The delimiter you set on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen that separates the VPN username from the e-mail username. (The default VPN Name Delimiter is a colon.)

• E-mail Username = The name of the user’s e-mail account.

• E-mail Server Delimiter = The server delimiter you set on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen to separate the mail username from the server name. (The default e-mail server delimiter is the @ sign.) The delimiter is necessary only if a server name is present.

• E-mail Server Name = The name of the user’s e-mail server. You can omit this field if using the default mail server.

Step 10 Enter the user’s e-mail password, in the form:

[VPN Concentrator Password] [VPN Name Delimiter] [E-mail Password]

Where:

• VPN Concentrator Password = The user’s VPN Concentrator login password. If the VPN Concentrator password and the mail password are the same, you can omit this field.

• VPN Name Delimiter = The delimiter you configured on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail that separates the VPN username from the e-mail username. (The default VPN NAme Delimiter is a colon.) This delimiter is necessary only if the VPN Concentrator password is present.

• E-mail Password = The password for the user’s e-mail account.

For example, 12345:abcde.


78-15731-01


Step 11 Click Next. A final window appears. Click Finish.

Figure C-10 Final Wizard Window

Step 12 In the Internet Accounts window, click the Mail tab. (See Figure C-11.)

Figure C-11 Internet Accounts Window: Mail Tab


78-15731-01


Step 13 Select the new mail account, then click the Properties button. The Properties window appears. (See Figure C-12.)

Figure C-12 Properties Window: General Tab

Step 14 [Optional] Fill in a server name and add additional user information.


78-15731-01


Step 15 Click the Servers tab. (See Figure C-13.)

Figure C-13 Properties Window: Server Tab

Step 16 Under Outgoing Mail Server, check the check box for the option: My server requires authentication. Click the Settings... button. The Outgoing Mail Server window appears. (See Figure C-14.)

Figure C-14 Outgoing Mail Server Window

Step 17 Click Use same settings as my incoming mail server. Click OK.


78-15731-01


Step 18 Click the Advanced tab in the Properties window. (See Figure C-15.)

Figure C-15 Properties Window: Advanced Tab

Step 19 Under Server Port Numbers:

a. For the Outgoing Mail field:

– Enter the SMTPS port number you configured on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen.

– Check the check box: This server requires a secure connection (SSL).

b. For the Incoming Mail field:

– Enter the POP3S or IMAP4S port numbers you configured on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen.

– Check the check box: This server requires a secure connection (SSL).

Step 20 Click Apply.

Step 21 Click OK.

The configuration is complete.

To test the configuration, send or receive e-mail. If the test fails, refer to the Outlook Express error messages and check EMAILPROXY events in the VPN Concentrator error log.


78-15731-01


Eudora 5.2 on Windows 2000These instructions explain how to configure an Eudora 5.2 client running on Windows 2000 to participate in E-mail Proxy.

Configuring Eudora

Configuring Eudora to participate in E-Mail Proxy has two steps:

• Configure the client application

• Edit the eudora.ini file

Configuring the Client Application

Step 1 Start Eudora. The Eudora Main Window displays. (See Figure C-16.)

Figure C-16 Eudora Main Window


78-15731-01


Step 2 Choose Options... from the Tools drop down menu. The Options window displays. Click the Getting Started icon. (See Figure C-17.)

Figure C-17 Eudora Options Window, Getting Started

a. In the Real Name field, enter the name of the user.

b. In the Return Address field, enter a return e-mail address for the user; for example, [email protected]. Replies to mail sent by this user go to this address.

c. In the Mail Server (Incoming) field, enter the hostname or IP of the VPN Concentrator interface on which you enabled (POP3 or IMAP) E-mail Proxy protocols.

d. If the user’s VPN Concentrator username and mail server username are the same, enter this name in the Login Name field in the form:

(E-Mail Username)[E-mail Server Delimiter][E-mail Server Name]

Where:

– E-mail Username = The user’s e-mail login name.

– E-mail Server Delimiter = The server delimiter you set on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen to separate the mail username from the server name. (The default e-mail server delimiter is the @ sign.) The delimiter is necessary only if a server name is present.

– E-mail Server Name = The name of the user’s e-mail server. You can omit this field if using the default mail server.



(VPN Concentrator Username)(VPN Name Delimiter) (E-mail Username) [E-mail Server Delimiter][E-mail Server Name]

Where:

– VPN Concentrator Username = The user’s VPN Concentrator login name.

– VPN Name Delimiter = The delimiter you set on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen that separates the VPN username from the e-mail username. (The default VPN Name Delimiter is a colon.)


78-15731-01


– E-mail Username = The name of the user’s e-mail account.



e. In the SMTP Server (Outgoing) field, enter the hostname or IP of the VPN Concentrator interface on which you enabled the SMTP E-mail Proxy protocol.

f. Check the Allow Authentication check box.

Step 3 Click the Checking Mail icon. (See Figure C-18.) Under Secure Sockets when Receiving, choose Required, Alternate Port from the drop down menu.

Figure C-18 Eudora Options Window, Checking Mail

Step 4 Click the Incoming Mail icon. (See Figure C-19.) Choose your server configuration type: POP or IMAP.


78-15731-01


Figure C-19 Eudora Options Window, Incoming Mail


78-15731-01


Step 5 Click the Sending Mail icon. (See Figure C-20.) Under Secure Sockets when Receiving, choose Required, Alternate Port from the drop down menu.

Figure C-20 Eudora Options Window, Sending Mail

Step 6 Click the OK button. The Options window closes.

Step 7 Quit Eudora by choosing Exit from the File menu.

Editing the eudora.ini File

Step 1 Locate the eudori.ini file in the Eudora default installation directory.

Note If you do not have an eudori.ini file on your system, copy the deudora.ini file and rename it eudora.in.

Step 2 Open eudora.ini in any text editor.

Step 3 Find the following line of text:

[Settings]

Step 4 Beneath this line, add the following three lines:

SSLPOPAlternatePort=[POP Port]SSLIMAPAlternatePort=[IMAP Port]SSLSMTPAlternatePort=[SMTP Port]

Where:

• POP Port = The POP3S port configured on the Configuration | Tunneling and Security | WebVPN | E-mail screen of the VPN Concentrator. The default is 995.

• IMAP Port = The IMAP4S port configured on the Configuration | Tunneling and Security | WebVPN | E-mail screen of the VPN Concentrator. The default is 993.

• SMTP Port = The SMTPS port configured on the Configuration | Tunneling and Security | WebVPN | E-mail screen of the VPN Concentrator. The default is 988.


78-15731-01


For example:

[Settings]SSLPOPAlternatePort=995SSLIMAPAlternatePort=993SSLSMTPAlternatePort=988

The configuration is complete.

Using Eudora with E-Mail Proxy

When the user sends or receives mail, Eudora prompts for a password.

• If the user’s VPN Concentrator password and e-mail password are the same, enter that password.

• If the VPN Concentrator password and e-mail password are different, enter them both in the form:


Where:

– VPN Concentrator Password = The user’s VPN Concentrator login password.

– VPN Name Delimiter = The delimiter you configured on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail that separates the VPN username from the e-mail username. (The default VPN NAme Delimiter is a colon.)

– E-mail Password = The password for the user’s e-mail account.



78-15731-01


Netscape Mail v. 7 on Windows 2000These instructions explain how to configure a Netscape client running on Windows 2000 to participate in E-mail Proxy.

Step 1 Start the Netscape Mail & Newsgroups program. The Netscape Mail window appears. (See Figure C-21.)

Figure C-21 Netscape Mail Window

Step 2 Choose default on mail from the Name list in the frame on the left. The Default on Mail window appears. (See Figure C-22.)


78-15731-01


Figure C-22 Default on Mail Window

Step 3 Under Accounts, click the Create a New Account link. The Account Wizard New Account Setup window appears. (See Figure C-23.)

Figure C-23 Account Wizard: New Account Setup Window

Step 4 Choose the Email account option. Click Next. The Identity window appears. (See Figure C-24.)


78-15731-01


Figure C-24 Account Wizard: Identity Window

Step 5 In the Your Name field, enter the user’s name. This name will appear in the From header of e-mails the user sends.

Step 6 In the Email Address field, enter the user’s e-mail address. Click Next. The Server Information window appears. (See Figure C-25.)

Figure C-25 Account Wizard: Server Information Window

Step 7 Choose the mail protocol you are using for incoming mail (POP or IMAP).

Step 8 Enter the IP address of the interface of the VPN Concentrator on which you enabled the POP or IMAP E-mail Proxy protocol. Click Next. The User Name window appears. (See Figure C-26.)


78-15731-01


Figure C-26 Account Wizard: User Name Window

Step 9 Enter the user’s mail server username at the prompt. If the user’s VPN Concentrator username and mail server username are the same, enter this name in the form:

(E-Mail Username)(E-mail Server Delimiter)[E-mail Server Name]

Where:

– E-mail Username = The user’s e-mail login name.





(VPN Concentrator Username)(VPN Name Delimiter) (E-mail Username) (E-mail Server Delimiter) (E-mail Server Name)

Where:

– VPN Concentrator Username = The user’s VPN Concentrator login name.

– VPN Name Delimiter = The delimiter you set on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen that separates the VPN username from the e-mail username. (The default VPN Name Delimiter is a colon.)

– E-mail Username = The name of the user’s e-mail account.



78-15731-01



For example: AliceSmith:alice@madhatter

Step 10 Click Next. The Account Name window appears. (See Figure C-27.)

Figure C-27 Account Wizard: Account Name

Step 11 Enter a name for this account. Click Next. The Account Wizard displays a final window. (See Figure C-28.)


78-15731-01


Figure C-28 Account Wizard: Final Window

Step 12 Click Finish. The Account Wizard window closes.

Step 13 Click the name of the account you just created from the Name list on the left of the Netscape Mail window. (See Figure C-29.) The Netscape Mail window appears. (See Figure C-30.)

Figure C-29 Netscape Mail Window

Step 14 Click the View settings for this account link. The Account Settings window appears. (See Figure C-30.)


78-15731-01


Figure C-30 Account Settings

Step 15 Choose Server Settings from the list at the left of the window. The Server Settings window appears. (See Figure C-31.)

Figure C-31 Server Settings Window

Step 16 In the Port field, enter the POP3S or IMAP4S port number you configured on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen.

Step 17 Check the Use Secure Connection (SSL) check box.


78-15731-01


Step 18 On the left side of the window, choose Outgoing Server (SMTP). The Outgoing Server Settings window appears. (See Figure C-32.)

Figure C-32 Outgoing Server Settings Window

Step 19 In the Server Name field, enter the IP address of the interface of the VPN Concentrator on which you enabled the SMTP E-mail Proxy protocol.

Step 20 In the Port field, enter the SMTP port number you configured on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail screen.

Step 21 Check the Use Name and password check box, and enter the user’s e-mail account name, in the same format you used in Step 9.)

Step 22 Choose Use secure Settings (SSL): Always.

Step 23 Click OK.

Configuration is complete.

Sending and Receiving E-mail

When users send or receive e-mail, Netscape prompts for a password. Enter the password, in the form:


Where:

• VPN Concentrator Password = The user’s VPN Concentrator login password. If the VPN Concentrator password and the mail password are the same, you can omit this field.

• VPN Name Delimiter = The delimiter you configured on the VPN Concentrator Configuration | Tunneling and Security | WebVPN | E-mail that separates the VPN username from the e-mail username. (The default VPN Name Delimiter is a colon.) This delimiter is necessary only if the VPN Concentrator password is present.


78-15731-01


• E-mail Password = The password for the user’s e-mail account.



78-15731-01



78-15731-01


A

Access Control List (ACL)

WebVPN 110, 111

Port Forwarding 57

access hours, configuring 14-3

add 14-4

modify 14-4

accessing the VPN Concentrator using SSL 24

accounting record attributes, RADIUS 5-32

accounting servers, configuring 5-32

add

access hours 14-4

address pool 6-6

email recipient of events 49

event class 34

filter (traffic management) 14-40

filter rule (traffic management) 14-15

IKE proposal 15-33

IPSec LAN-to-LAN connection 15-16

NAT rule 14-55

network list 14-9

NTP host 5-48

OSPF area 7-13

Port Forwarding 15-65

security association (traffic management) 14-29

security association to rule on filter 14-46

SMTP server for events 46

SNMP community 8-13

SNMP event destination 39

static route for IP routing 7-5

syslog server to receive events 42

user on internal server (user management) 162

address management, configuring 6-2

address pools

configuring 6-5

add 6-6

modify 6-6

alarm thresholds, power 3-6

alerts, IPSec 15-40

application access

and e-mail proxy C-6

and hosts file errors C-7

and Web Access C-6

configuring 15-67

configuring client applications for C-5

enabling cookies on browser C-5

privileges C-5

quitting properly C-5, C-7

re-enabling C-8

setting up on client C-5

using e-mail C-6

with IMAP client C-6

Application Access See also Port Forwarding

Application Access window 158

Are You There (AYT) firewall policy 37, 41, 90, 94

assignment of IP addresses, configuring 6-3

assign rules to filter (traffic management) 14-43

authenticating

clients with digital certificates 26

WebVPN users 79

WebVPN users with digital certificates 27

authentication

feature summary 48, 100

SSL Client 15-45

authentication parameters

changing group delimiter 10-9

global 10-9

IN-1r Reference Volume I: Configuration

Index

order of checking 10

authentication servers

configuring 5-3

internal 5-15

Kerberos/Active Directory 5-13, 124

NT Domain 5-9

RADIUS 5-7

SecurID 5-11, 122

internal 10

testing 5-17, 127

authorization, WebVPN 24

authorization parameters

authorization required 25, 80

authorization type 24, 80

DN field 25, 81

authorization servers

configuring 5-24, 130

LDAP 5-26, 134

RADIUS 5-24, 132

testing 5-30, 138

autodiscovery, network 15-11, 15-23

automatic software update, See client update 11-1

automatic switchover (redundancy) 7-19

B

Backup LAN-to-LAN, See IPSec LAN-to-LAN, redundancy

bandwidth management

bandwidth aggregation 14-66

bandwidth policing 14-65, 14-67

bandwidth reservation 14-65

burst size 14-67

configuring 14-67

enabling on interface 3-20, 14-64, 14-67

in LAN-to-LAN configuration 14-67, 14-68

overview of 14-65

policing rate 14-67

policy

IN-2VPN 3000 Series Concentrator Reference Volume I: Configuration

assigning to group 150, 14-67

assigning to interface 3-22, 14-67

assigning to LAN-to-LAN 14-67, 15-23

specifying the link rate 3-20, 14-67

bandwidth policies, configuring 14-64

banner for IPSec clients, configuring 34, 85

base group

configuring (user management) 12

global preshared secret 27

bibliography xxxi

bootcode, upgrading xxx

browser

installing SSL certificate 1-5

navigation toolbar, do not use with Manager 1-3

Netscape Navigator, problems with 1-3

requirements 1-2

built-in servers, configuring

See management protocols 8-1

burst size 14-67

C

Central Protection Policy (CPP) 37, 41, 90, 94, 14-15

certificate group matching 14-72

defining rules 14-72

fields 14-76

policy 14-79

configuring 14-72

rules

adding 14-74, 14-76

assigning to groups 14-76

deleting 14-74

enabling 14-76

modifying 14-74, 14-76

reordering 14-74

certificates See digital certificates

change security association on rule 14-48

Cisco IP Phone Bypass 44

CiscoSecure ACS server 5-3, 9

78-15731-01

Index

Cisco VPN Client

IPSec attributes 14-24

IPSec support 17, 73, 169

route advertisement 7-23

supports Mode Configuration 28, 83

CLI, WebVPN capture tool 32

client authentication, SSL 15-45

client authentication using digital certificates 26

client firewall 37, 90

Are You There (AYT) policy 37, 41, 90, 94

Central Protection Policy (CPP) 37, 41, 90, 94, 14-15

configuring rules for firewall filters 37, 90, 14-15, 14-17, 14-19, 14-22

custom 40, 93

local 37, 90

split tunneling 37, 90

supported products 39, 92

vendor and product codes 40, 93

Zone Labs Integrity Server 37, 41, 90, 94

client update 11-1

enabling 11-3

image files 11-2

compression

IPComp 26, 81

MPPC 51, 53, 104, 106

configuration section of Manager 2-1

connecting to VPN Concentrator

using HTTP 1-4

using HTTPS 1-20

conventions

documentation xxx

typographic xxx

cookies, enabling for WebVPN 26

copy



IKE proposal 15-33

network list 14-9

crash, system, saves log file 24

VPN78-15731-01

D

data

formats xxxiii

date and time, configuring 10-3

Daylight-Saving Time, enabling 10-4

default

event handling, configuring 23

filter rules

table 14-12

using 14-11

filters

table 14-38

using 14-37

gateways, configuring for IP routing 7-7

IKE proposals

table 15-30

security associations, table 14-26, 14-27

tunnel gateway, configuring 7-7

delete


group (user management) 62

internal authentication server 5-16



DHCP

functions within the VPN Concentrator, configuring 7-15

IP address range 17, 73

servers, configuring 5-38

modify 5-40

digital certificates

authenticating clients 26

authenticating WebVPN users 23, 79, 15-45, 27

configuring for WebVPN 26

for authenticating e-mail users 26

for e-mail proxy 26

IPSec LAN-to-LAN 15-19

SSL 15-44, 26

IN-3 3000 Series Concentrator Reference Volume I: Configuration

Index

transmission 15-20

display settings 1-3

DNS

configuring for group 71

servers, configuring 5-36

DNS, configuring for WebVPN 28

documentation

additional xxx

conventions xxx

DST (Daylight-Saving Time), enabling 10-4

dynamic filters 14-1

E

e-mail, configuring for WebVPN 30

e-mail proxy

and WebVPN C-6

configuring C-10

Eudora 5.2 on Windows 2000 C-21

Netscape Mail on Windows 2000 C-27

Outlook Express on Windows 2000 C-12

digital certificates 26

WebVPN 30

email recipients of events, configuring 47

add 49

Ethernet interfaces

See also interfaces

event classes

configuring for special handling 32

add 34

modify 34

table 17

tracking specific 28

event identifier, tracking events by 28

event log 21

capacity 21

deleting from flash memory 23

file size 24

save 23


saved at system reboot 24

saved if system crashes 24

saving in flash memory 23

saving via FTP 24, 30

events

configuring 22, 23, 32

section of Manager 17

tracking specific 28

event severity levels

table 20

tracking events of a specific severity 28

event trap destinations, configuring 37

Extended Authentication in IPSec 24, 80

F

file access, enabling for WebVPN 56, 109

filter 14-1

add (traffic management) 14-40

add security association to rule on 14-46

assign rules to (traffic management) 14-43

configuring

base group 15

group 69

user 167

configuring (traffic management) 14-37

configuring on interface

Ethernet 3-12

copy (traffic management) 14-40

default

table 14-38

using 14-37

modify (traffic management) 14-40

filter rules 14-1

add (traffic management) 14-15

configuring 14-11

copy (traffic management) 14-15

default

table 14-12

78-15731-01

Index

using 14-11

delete (traffic management) 14-23

modify (traffic management) 14-15

filters

dynamic 14-1

firewall 14-15, 14-38

firewall

client 90

client, See also client firewall

definition 37, 90

flash memory, saving log files in 23

formats

data xxxiii

fragmentation policy, IPSec 3-14, 15-22

FTP

configuring internal server 8-2

using to save log files 24, 30

G

gateways, default 7-7

general parameters, configuring 10-1

global authentication parameters 10-9

global authentication parameters, WebVPN 27

global authorization parameters, WebVPN 27

global parameters, WebVPN 27

group delimiter, changing 10-9

group parameters, WebVPN 27

groups

configuring user

modifying internal 64

configuring users 61

deleting 62

modifying external 114

H

hold down routes, adding to routing table 7-23

VPN78-15731-01

host key, SSH 15-41

hostnames vs. IP addresses 157

hosts file 159

errors C-7

WebVPN 15-68

HTTP


using with Manager 1-4

HTTP/HTTPS Web VPN proxy, setting 26

HTTPS


connecting using 1-20

login screen 1-20

WebVPN requirement 15-43

HTTPS management for WebVPN 24

I

identification, system 10-2

idle time allowed in keepalive monitoring 22

idle timeout 14, 69, 96, 166

IKE keepalives 22, 78

Easy VPN compliant clients 22, 78

idle time allowed in keepalive monitoring 78

IKE proposals

active 15-31

add 15-33

configuring 15-29

add 15-33

copy 15-33

modify 15-33

copy 15-33

default

table 15-30

inactive 15-31

in security association 14-24


modify 15-33

IKE security association


Index

See security associations

inheritance, of group and user parameters 1-3

installing SSL certificate

with Internet Explorer 1-6

with Netscape 1-13

Install SSL Certificate (screen) 1-5

interfaces

configuring 3-2

Ethernet, configuring 3-9

OSPF 3-17

RIP 3-15

speed 3-12

transmission mode 3-12

filter

Ethernet 3-12

public 3-11, 14-54, 15-15

section of Manager 3-1

status 3-4

internal authentication server

configuring 5-15

deleting 5-16

maximum groups and users 10

Internet Explorer, requirements 1-2

IP addresses

configuring assignment of 6-3

IPComp data compression 26, 81

IP Phone Bypass 44

IP routing

configuring 7-2


IPSec

alerts 15-40

banner for clients 34, 85

Cisco VPN Client 17, 73, 169, 14-24, 15-9

configuring 15-9

base group 17, 18

group (internal) 73, 74

user (internal server) 169, 170

WebVPN parameters 74


data compression 26, 81

discussion 15-9

fragmentation policy 3-14, 15-22

maximum active sessions 10-5

Mode Configuration 28, 83

rules 14-6

security associations

See security associations

XAuth 24, 80

IPSec LAN-to-LAN

automatic parameters 14-18, 15-18, 15-28

configuring 15-11

add or modify connection 15-16

bandwidth management policy 15-23

no public interfaces screen 15-15

parameters for redundant systems 7-19

digital certificates 15-19

Done (screen) 15-28

redundancy 15-11

and load balancing 15-11

configuring 15-12

example 15-13

VRRP 15-11

rules that apply IPSec 14-18

using network lists 15-18, 15-23, 15-26

IPSec NAT-T 15-22

IPSec over TCP 15-37

IPSec through NAT, configuring base group 30

J

JavaScript, requirements 1-2

K

keepalives, See IKE keepalives 78

Kerberos/Active Directory authentication

configuring 5-13, 124

78-15731-01

Index

on Linux server 124

Kerberos/Active Directory authentication, configuring

on Linux server 5-13

L

L2TP

configuring

base group 17, 49


system-wide parameters 15-6



L2TP/IPSec, maximum active sessions 10-5

L2TP over IPSec

configuring

base group 17

group (internal) 73

user (internal server) 169

default security association to use 20, 76, 171

do not use Mode Configuration 28, 83

IKE proposal required 15-31

no IPSec user authentication 24, 80

Windows 2000 client support 17, 73, 169, 15-1

LAN-to-LAN

See IPSec LAN-to-LAN

Layer 2 Tunneling Protocol, SeeL2TP

LDAP authorization servers, configuring 5-26, 134

LEAP Bypass

configuring 44, 96

explanation 46, 98

Linux server and Kerberos/Active Directory authentication 5-13, 124

load balancing 12-1

and VRRP 7-19, 12-1

configuring 12-4

cluster 12-5

device 12-6

preliminary steps 12-2

VPN78-15731-01

device priority 12-6

defaults 12-6

virtual cluster 12-1

local LAN access for VPN client 34, 87

log files

See event log

logging in the VPN Concentrator Manager 1-21

login

name

factory default (Manager) 1-21

password, factory default (Manager) 1-21

screen 1-4

HTTPS 1-20

Internet Explorer 1-10

Netscape 1-17

M

management protocols, configuring 8-1

masks, wildcard 15-23, 15-24, 15-27


examples 10-8

IPSec, PPTP and L2TP/IPSec 10-5

WebVPN 10-5, 10-7

maximum permitted sessions 10-5

maximum sessions

ratios of WebVPN to IPSec, PPTP and L2TP/IPSec sessions 10-7

WebVPN or IPSec, PPTP, and L2TP (table) 10-6

memory, upgrading xxx

MIB-II, system object 10-2

Mode Configuration in IPSec 28, 83

Cisco VPN Client support 83

Cisco VPN Client supports 28

split tunneling 28, 83

modify

access hours 14-4

accounting server 5-34

address pool 6-6


Index

authentication server 5-7

authorization server 5-24

DHCP server 5-40

event class 34



group (external) (user management) 114

group (internal) (user management) 64

IKE proposal 15-33

IPSec LAN-to-LAN connection 15-16

NAT rule 14-55

network list 14-9

NTP host 5-48

OSPF area 7-13



SMTP server for events 46

SNMP community 8-13

SNMP event trap destination 39

static route, for IP routing 7-5

syslog server to receive events 42


monitor / display settings 1-3

movian

VPN client support 20, 76, 171, 14-32, 14-35, 15-21, 15-35

MPPC data compression 51, 53, 104, 106

MTU 3-13

N

NAT

configuring 14-50

enable 14-51

no public interfaces screen 14-54

NAT rules, configuring 14-52

add 14-55

modify 14-55

NAT-T (NAT Traversal) 15-22, 15-38

NAT transparency 15-37


navigating the VPN Concentrator Manager 1-22

NetBIOS Name, configuring 5-43

Netscape Navigator

problems with 1-3

requirements 1-2

network autodiscovery 15-11, 15-23

network lists 14-1

configuring 14-7

add 14-9

automatic generation 14-10

copy 14-9

modify 14-9

IPSec LAN-to-LAN 15-18, 15-23, 15-26

network time, configuring

See NTP 5-45

No Public Interfaces screen


NAT 14-54

NT Domain, configuring authentication server 5-9

NTP, configuring 5-45

hosts (servers) 5-47

add 5-48

modify 5-48

synchronization 5-46

O

organization of the VPN Concentrator Manager 1-22

OSPF 3-1, 3-2

configuring

on Ethernet interface 3-17


with reverse route injection 7-22

OSPF areas, configuring 7-12

add 7-13

modify 7-13

Outlook Web Access (OWA) and WebVPN C-6

78-15731-01

Index

P

password

factory default (Manager) 1-21

policing rate 14-67

policy management

configuring 14-2


Port Forwarding

configuring 155, 15-63

add or modify 15-65

configuring client applications for C-5

enabling 57

power thresholds, configuring 3-6

PPTP

configuring

base group 17, 49






pre-shared secret 27

product codes for client firewalls 40, 93

R

RADIUS

accounting, configuring 5-32

accounting record attributes 5-32

authentication server, configuring 5-7

authorization server, configuring 5-24, 132

Cisco Secure ACS RADIUS server 9

Class attribute format to authenticate group name 61


RC4 encryption, WebVPN 15-47

reboot system, saves log file 24

redundancy

VPN78-15731-01

configuring, system 7-19


references (bibliography) xxxi

regeneration, SSH server key 15-42

requirements

browser 1-2

Internet Explorer 1-2

JavaScript 1-2

Netscape Navigator 1-2

reverse route injection 7-22, 15-23

RIP 3-1, 3-2

configuring on Ethernet interface 3-15

with network autodiscovery 15-23

with reverse route injection 7-22

routes

adding to routing table

network autodiscovery 15-23

reverse route injection 15-23

routes, adding to routing table

reverse route injection 7-22

RRI See reverse route injection

RSA Security 5-11, 122

rules 14-1

add security association to, on filter 14-46

assign to filter (traffic management) 14-43

change security association on 14-48

filter, configuring 14-11

rules, NAT, configuring 14-52

add 14-55

modify 14-55

S

SAs See security associations

SAVELOG.TXT file 24

screen

login 1-4

login, using HTTPS 1-20

SDI 5-11, 122


Index

SecurID, configuring authentication server 5-11, 122

security associations 14-1

add to rule on filter 14-46

change on rule 14-48

configuring 14-24

add 14-29

delete 14-36

modify 14-29

default, table 14-26, 14-27

IKE proposals in 14-24

negotiation phases 14-24

server key

SSH 15-41

regeneration 15-42

servers 5-1

configuring

authentication 5-3

authorization 5-20, 130

DHCP 5-38, 5-40

DNS 5-36

firewall 5-41

internal authentication 5-15

Kerberos/Active Directory authentication 5-13, 124

LDAP authorization 5-26, 134

NetBIOS NAME 5-43

NT Domain authentication 5-9

NTP 5-45

NTP Hosts 5-47, 5-48

RADIUS accounting 5-32

RADIUS authentication 5-7

RADIUS authorization 5-24, 132

SDI authentication 5-11

system access to 5-1

deleting internal authentication 5-16

testing

authentication 5-16

authorization 5-30, 138

servers and URLs, WebVPN 152

session key, SSH 15-41


sessions

maximum active 10-6

examples 10-8

WebVPN or IPSec, PPTP and L2TP/IPSec 10-5

maximum active WebVPN 10-7

maximum permitted 10-5

changing 10-5

WebVPN or IPSec, PPTP, and L2TP (table) 10-6


SMTP servers, configuring for events 44

add 46

modify 46

SNMP


event trap destinations, configuring 37

add 39

modify 39

traps, configuring "well-known" 27

SNMP communities, configuring 8-12

add 8-13

modify 8-13

software update, automatic 11-1

enabling 11-3

image files 11-2

speed, configuring Ethernet interface 3-12

split tunneling

firewalls 37, 90

IPSec

requires Mode Configuration 28, 83

network list 36, 88

policy 34, 87

SSH

host key 15-41

server key 15-41

server key regeneration 15-42

session key 15-41

SSL

certificate 15-44, 26

78-15731-01

Index

client authentication 15-45

configuring WebVPN session 15-43

used to access the VPN Concentrator 24

SSL/TLS

WebVPN tunneling protocols 17

SSL/TLS encryption protocols, configuring 25

SSL certificate

installing in browser 1-5

installing with Internet Explorer 1-6

installing with Netscape 1-13

viewing with Internet Explorer 1-11

viewing with Netscape 1-18

VPN Concentrator 1-5

SSL certificate, checking certificate currency 26

static routes, configuring for IP routing 7-3

add 7-5

modify 7-5

strip realm 17

Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN C-5

switchover, automatic (redundancy) 7-19

syslog servers, configuring for events 41

add 42

modify 42

system configuration section of Manager 4-1

system identification, configuring 10-2

T

Telnet, configuring internal server 8-8

TFTP

and automatic software update 11-1


time and date, configuring 10-3

timeout 69, 96

time zone, configuring 10-3

traffic management, configuring 14-6

transmission mode, configuring Ethernet interface 3-12

transparency, NAT 15-37

VPN78-15731-01

traps, configuring

"well-known" 27

destination systems 37, 39

general events 27

specific events 36

troubleshooting, consulting the event log 21

tunnel default gateway, configuring 7-7

tunneling protocols

configuring 15-2


WebVPN 73, 169

typographic conventions xxx

U

upgrading

bootcode xxx

memory xxx

URL entry

enabling on WebVPN 109

use with WebVPN 55

URLs, WebVPN capture tool 32

user attributes, default

See base group 12

user management

configuring 11

section of Manager 9

users

configuring on internal server (user management) 160

add 162

delete 161

modify 162

V

vendor codes for client firewalls 40, 93

viewing SSL certificates

with Internet Explorer 1-11


Index

with Netscape 1-18

virtual cluster 12-1

configuration 12-5

IP address 12-1

master 12-1

VPN 3002 Hardware Client

route advertisement 7-23

software update 11-1

VPN Client, IPSec attributes 15-9

VPN Concentrator Manager

logging in 1-21

navigating 1-22

organization of 1-22

VPN Concentrator SSL certificate, checking 26

VRRP, configuring 7-19

W

web browsing with WebVPN C-4

web e-Mail (Outlook Web Access)

Outlook Web Access 30

WebVPN

Access Control List (ACL) 110, 111

Port Forwarding 57

user sessions 58

Application Access window 158, 15-67

authenticating with digital certificates 23, 79, 15-45, 27

authorization 24

capture tool 32

client application requirements C-2

client requirements C-2

for e-mail C-6

for file management C-4

for network browsing C-4

for port forwarding C-5

for using applications C-5

for web browsing C-4

start-up C-3

configuration options 28


configuring 107, 15-48

DNS 16

DNS globally 28

e-mail 30

E-mail proxy 15-55

home page 15-50

HTTP/HTTPS proxy 15-49

IPSec parameters 18

logo 15-53


add or modify 15-65servers and urls 15-60

add or modify 15-61SSL options 15-43

with VPN Concentrator Manager 28

cookies 26

e-mail proxy 30

enable cookies for C-5

enabling file access 56, 109

enabling URL entry 55, 109

end user set-up C-1

global and group settings 27

global authentication and authorization settings 27

hosts file 15-68

HTTP/HTTPS proxy, setting 26

HTTPS required 15-43

idle timeout 14, 69, 96

IPSec parameters,configuring 74

maximum active sessions 10-5, 10-7

parameters 54, 109

Port Forwarding

configuring 63, 155

enabling 57

printing and C-3

RC4 encryption 15-47

security tips C-2

servers and URLs 152

servers and URLs, configuring 63

session limits and throughput 10-5

78-15731-01

Index

supported applications C-2

supported browsers C-3

supported types of Internet connections C-3

troubleshooting C-7

tunneling protocols 17, 73, 169

URL C-3

user authorization 80

username and password required C-3

use suggestions C-1, C-2

WebVPN session

configuring

SSL 15-43

SSL parameters 15-2

welcome text for IPSec clients, configuring 34, 85

wildcard masks 14-10, 14-19, 15-23, 15-24, 15-27

Windows 2000 client

configure transport mode 14-31

L2TP over IPSec support 17, 73, 169, 15-1

Mode Configuration 28, 83

PPTP support 17, 73, 169

WINS, configuring for group 71

wireless support See movianVPN client support 15-35

X

XAuth 24, 80

XML, configuring as system management protocol 8-14

Z

Zone Labs Integrity Server 37, 41, 90, 94

VPN78-15731-01
IN-13
3000 Series Concentrator Reference Volume I: Configuration

Date post:	27-Nov-2014
Category:	Documents
Upload:	thuc-anh
View:	94 times
Download:	8 times

Config

Documents